JP2021500816A - Vehicle-mounted equipment upgrade method and related equipment - Google Patents

Abstract

Embodiments of the present invention disclose vehicle-mounted device upgrade methods and related devices. The method may be applied to a vehicle-mounted system, which includes a vehicle-mounted controller and one or more vehicle-mounted devices to be upgraded, in which the vehicle-mounted controller includes a vehicle-mounted upgrade package. The step and the vehicle-mounted controller are the steps in which the vehicle-mounted upgrade package contains multiple upgrade files, and each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded. The step of performing security verification on multiple upgrade files and the step of sending the target upgrade file to the target vehicle-mounted equipment to be upgraded by the vehicle-mounted controller using the target upgrade file. The upgrade file contains steps, which are the upgrade files whose security verification was successful in multiple upgrade files. According to this application, vehicle-mounted equipment can be upgraded securely and efficiently.

Description

The application relates to the field of vehicle-mounted technology, in particular to vehicle-mounted equipment upgrade methods and related equipment.

In the future, each vehicle will become a network of vehicles on the Internet, virtually the same as web-connected devices such as computers and mobile phones. It is estimated that 60% to 70% of North American vehicle recalls are caused by firmware / software issues. Therefore, upgrading the firmware / software of vehicle-mounted equipment is an indispensable measure. Conventional upgrade target vehicle on-board equipment Vehicles are reclaimed for firmware / software upgrades. Such methods have the disadvantages of high cost and long cycles.

Therefore, future vehicle-mounted equipment will use wireless (Over-The-Air, OTA) technology to perform more flexible remote upgrades, much like remote upgrades for computers and mobile phones today. There is a need. Remote firmware / software upgrades for vehicle-mounted equipment can bring many benefits. For example, this helps to quickly fix important firmware / software bugs, improves vehicle safety, and adds new features and mechanisms to the vehicle in a timely manner over its full useful life. Therefore, in this OTA method, the firmware / software upgrade can be performed without collecting the vehicle. This can reduce many costs for the manufacturer or seller of the vehicle and provide convenience to the vehicle owner.

However, during the remote upgrade of the equipment installed in the vehicle to be upgraded, some of the equipment installed in the vehicle to be upgraded have problems such as the limitation of computing power and the limit of storage space. It is low-key and can even affect the upgrade of the entire vehicle-mounted system. Therefore, how to ensure a secure and efficient firmware / software upgrade for vehicle-mounted equipment is an urgent issue to be resolved.

An embodiment of the present invention provides a vehicle-mounted device upgrade method and related devices that solve the problem of not being able to perform secure and efficient firmware / software upgrade of a vehicle-mounted device.

According to the first aspect, one embodiment of the present invention provides a vehicle-mounted device upgrade method, the vehicle-mounted device upgrade method.
The vehicle-mounted controller is the step to obtain the vehicle-mounted upgrade package, where the vehicle-mounted upgrade package contains multiple upgrade files, and each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded. , Steps, and the step that the vehicle-mounted controller performs security verification for multiple upgrade files, and the target upgrade of the vehicle-mounted controller to the target vehicle-mounted equipment that should be upgraded using the target upgrade file. Includes a step of submitting a file, where the target upgrade file is an upgrade file that has been successfully validated for security within multiple upgrade files. According to the present embodiment of the present invention, the vehicle-mounted control device side performs security verification processing on the vehicle-mounted upgrade package required for upgrading the vehicle-mounted equipment, and the vehicle to be upgraded has different upgrade capabilities. It prevents on-board equipment from being involved in the security verification process, thereby ensuring that vehicle-mounted equipment is securely and efficiently upgraded using the vehicle-mounted upgrade package.

In one possible embodiment, the vehicle-mounted upgrade package contains a first digital signature, and the vehicle-mounted controller performs security verification on multiple upgrade files with the vehicle-mounted controller first. Includes steps to perform digital signature verification on multiple upgrade files using digital signatures. In other words, the vehicle-mounted upgrade package is verified using a digital signature, which guarantees the validity of the vehicle-mounted upgrade package obtained from outside the vehicle-mounted equipment by the vehicle-mounted controller.

In one possible embodiment, the method comprises a step in which the vehicle-mounted controller sends identification credentials to the upgrade server and, if the identification credentials are authenticated by the upgrade server, the vehicle-mounted controller and the upgrade server. Including the step of establishing a secure channel between, and the step of the vehicle-mounted controller acquiring the vehicle-mounted upgrade package from the upgrade server, the vehicle-mounted controller takes the step of acquiring the vehicle-mounted upgrade package from the upgrade server via the secure channel. Includes steps to get a vehicle-mounted upgrade package. In other words, a secure channel is established between the vehicle-mounted controller and the upgrade server to ensure the confidentiality of the vehicle-mounted upgrade package in the transmission process. In this case, the vehicle-mounted upgrade package does not have to be further encrypted.

In one possible embodiment, the vehicle-mounted upgrade package is encrypted using a first key, the first key is a symmetric key, and this method allows the vehicle-mounted controller to first from the key server. After a step in which the vehicle-mounted controller performs digital signature verification on multiple upgrade files using a first digital signature, further including the step of obtaining the key of the vehicle-mounted controller However, if the digital signature verification is successful, it includes the step of decrypting multiple upgrade files using the first key. In other words, the vehicle-mounted upgrade package is encrypted and the encryption key is stored on a dedicated key server, which effectively guarantees the confidentiality of the vehicle-mounted upgrade package in the transmission process.

In one possible embodiment, the vehicle-mounted controller should be upgraded using the target upgrade file. The step of sending the target upgrade file to the targeted vehicle-mounted equipment is targeted by the vehicle-mounted controller. With the step of splitting the upgrade file into multiple upgrade subfiles, the vehicle-mounted controller uses a preconfigured algorithm to generate multiple interrelated data blocks from multiple upgrade subfiles and uses a second key. In the step of generating the first message authentication code MAC of multiple data blocks, the second key is the symmetric algorithm key, the step and the vehicle-mounted controller are the target vehicle-mounted equipment to be upgraded. Includes a step of sequentially transmitting a plurality of data blocks carrying the MAC of. In other words, during the transmission of the vehicle-mounted upgrade package between vehicle-mounted equipment, the upgrade file is split into multiple related data blocks using a preset algorithm and MAC processing is performed on those related data blocks. As such, the vehicle-mounted controller divides the complete upgrade file into multiple data blocks that can be transmitted separately and validated against them separately. In addition, since multiple data blocks are associated, a data block with a security problem can be quickly identified using a related algorithm. Therefore, the computational workload and computational complexity per unit time of the upgraded vehicle-mounted equipment with relatively weak capacity is reduced. After an upgrade file transmission error occurs, the error can be found as quickly as possible, so only the error is required to be resent, not the entire upgrade file. In this way, secure and efficient upgrades of vehicle-mounted equipment are further guaranteed.

In one possible embodiment, the method further comprises a step in which the vehicle-mounted controller encrypts each of the plurality of upgrade subfiles using a third key, the vehicle-mounted controller pre-installs. The step of generating multiple interrelated data blocks from multiple upgrade subfiles using a configuration algorithm is multiple encrypted by the vehicle-mounted controller using a preset algorithm using a third key. Includes steps to generate multiple interrelated data blocks from the upgrade subfile of. The validity of the vehicle-mounted upgrade package is guaranteed, while the confidentiality of the vehicle-mounted upgrade package is further guaranteed, thereby preventing the vehicle-mounted upgrade package from being obtained by an unauthorized person.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles, multiple interrelated data blocks are generated from multiple upgrade subfiles using a preset algorithm, and the multiple upgrade subfiles Carrying a second digital signature of multiple data blocks generated using the fourth key, the fourth key is an asymmetric key, and the vehicle-mounted controller validates security against multiple upgrade files. The steps to do include a step in which the vehicle-mounted controller inspects the second digital signature of multiple data blocks, and the vehicle-mounted controller should be upgraded using the target upgrade file. The step of sending the target upgrade file to the target vehicle-mounted device is the step in which the vehicle-mounted controller uses the fifth key to generate a second MAC for multiple data blocks, where the fifth key is. It includes a step, which is a symmetric algorithm key, and a step in which the vehicle-mounted controller sequentially transmits a plurality of data blocks carrying a second MAC to the target-upgraded vehicle-mounted device. In other words, block transmission and signing of vehicle-mounted upgrade packages can be performed by the upgrade developer. That is, the data block is acquired and signed by partitioning using a preset algorithm before it is acquired by the vehicle-mounted controller. In this case, the vehicle-mounted device must first check the validity of the data block, and then perform MAC processing on the checked data block. In this way, the validity of the vehicle-mounted upgrade file in the in-vehicle transmission process is guaranteed, while the computational workload and computational complexity of the vehicle-mounted equipment to be upgraded is reduced. Therefore, vehicle-mounted equipment is upgraded securely and efficiently.

In one possible embodiment, the preset algorithm includes any one of the Hash Chain algorithm, the Hash Tree algorithm, and the Bloom Filter algorithm. The preset algorithm uses the hash function of the algorithm described above to divide the target upgrade file into multiple interrelated data blocks. In this way, during MAC processing, MAC processing can be performed on only one of a plurality of data blocks, and the other related data blocks can be checked for interrelationship using hash values.

In one possible embodiment, the method is a step in which the vehicle-mounted controller retransmits the target data block to the target-upgraded vehicle-mounted device, wherein the target data block is the target upgrade target within the plurality of data blocks. It also includes steps, which are data blocks whose verification has failed in vehicle-mounted equipment. Based on the transmission of the relevant block, the data block whose verification failed can be quickly identified, and in the event of such a transmission error, only the corresponding data block, not the entire upgrade file, needs to be reclaimed. Well, it reduces overhead, improves upgrade efficiency, and guarantees upgrade security.

According to a second aspect, one embodiment of the present invention is an intelligent vehicle that may include a vehicle-mounted control device and at least one upgradeable vehicle-mounted device.
Vehicle-mounted equipment should obtain a vehicle-mounted upgrade package, perform security validation on multiple upgrade files in the vehicle-mounted upgrade package, and upgrade using the targeted upgrade file. Assuming that the target upgrade file is sent to, each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded, and the target upgrade file is the upgrade file whose validation was successful in multiple upgrade files. Consists of
The target vehicle-mounted device receives the target upgrade file sent by the vehicle-mounted controller, performs a secure upgrade using the target upgrade file, and the upgraded target vehicle-mounted device is the target upgrade target vehicle-mounted device. Is configured as
Providing intelligent vehicles.

In one possible embodiment, the vehicle-mounted controller is specifically configured to perform digital signature verification on multiple upgrade files using a first digital signature. In other words, the vehicle-mounted controller of the intelligent vehicle of the present embodiment of the present invention needs to check the validity of a plurality of upgrade files in the vehicle-mounted upgrade package obtained from the outside of the vehicle.

In one possible embodiment, the vehicle-mounted controller
If the identification credentials are sent to the upgrade server and the identification credentials are authenticated by the upgrade server, a secure channel is established between the vehicle-mounted controller and the upgrade server, and the upgrade server sends the vehicle through the secure channel. The on-board upgrade package is specifically configured to obtain an on-board upgrade package, or the vehicle-mounted upgrade package is encrypted using a first key, the first key is a symmetric key, and the vehicle-mounted controller is the first. After obtaining one key from the key server and successfully digitally signing verification performed on multiple upgrade files using the first digital signature, multiple upgrade files using the first key Specially configured to decipher. In other words, the vehicle-mounted controller of the intelligent vehicle of the present embodiment of the present invention may establish a secure channel to the server edge to ensure the security of the process of obtaining the vehicle-mounted upgrade package.

In one possible embodiment, the vehicle-mounted controller splits the target upgrade file into multiple upgrade subfiles, uses a preset algorithm to generate multiple interrelated data blocks, and uses a second key. Generates the first message authentication code MAC of multiple data blocks, sequentially sends multiple data blocks carrying the first MAC to the target vehicle-mounted device, and the second key is the symmetric algorithm. Specially configured to be the key,
The vehicle-mounted device to be upgraded sequentially receives multiple data blocks transmitted by the vehicle-mounted controller carrying the first MAC, and uses the second key to generate multiple data based on a preset algorithm. It is specifically configured to perform validation on blocks in sequence, and once all of the data blocks have been validated, combine those sequentially validated data blocks for upgrade.

In other words, after verifying the validity of the vehicle-mounted upgrade package obtained from outside the vehicle, the vehicle-mounted controller of the intelligent vehicle of the present embodiment of the present invention guarantees the validity of the upgrade file during in-vehicle transmission. In order to do so, the upgrade file is divided into blocks and MAC processing is performed in the vehicle. In addition, the vehicle-mounted equipment to be upgraded can receive and inspect blocks of upgrade files, allowing quick identification of errors. In addition, the computational complexity of MAC inspection is relatively low. Therefore, it can be guaranteed that inspection and upgrade are relatively easy for the equipment mounted on the vehicle to be upgraded, which has a relatively weak upgrade capacity in the vehicle. In this way, the efficiency and security of vehicle upgrades are guaranteed.

In one possible embodiment, the vehicle-mounted controller
Multiple upgrade subfiles are encrypted using a third key, and multiple interrelated data from multiple upgrade subfiles encrypted using a third key using a preconfigured algorithm. Generate blocks,
Specially configured as
When all of the data blocks to be upgraded are verified, the equipment to be upgraded uses the third key to decrypt each of the multiple sequentially verified data blocks and uses the third key. It is specifically configured to combine multiple decrypted data blocks for upgrade.

In other words, in the vehicle-mounted controller of the intelligent vehicle of the present embodiment of the present invention, the confidentiality of the upgrade file is further guaranteed by the encryption during transmission of the upgrade file in the vehicle.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles, multiple upgrade subfiles are used to generate multiple interrelated data blocks, and the multiple upgrade subfiles Carrying the second digital signature of multiple data blocks generated using the fourth key, the fourth key is an asymmetric key,
The vehicle-mounted controller inspects the second digital signature of the multiple data blocks and uses the fifth key to generate the second MAC of the multiple data blocks to target the vehicle-mounted equipment to be upgraded. It is specifically configured to send multiple blocks of data carrying two MACs in sequence, with the fifth key being the symmetric algorithm key.
The vehicle-mounted device to be upgraded sequentially receives multiple data blocks transmitted by the vehicle-mounted controller carrying the second MAC, and uses the fifth key to generate multiple data based on a preset algorithm. It is specifically configured to perform validation on blocks in sequence, and once all of the data blocks have been validated, combine those sequentially validated data blocks for upgrade.

In other words, after verifying the validity of the split and signed upgrade files obtained from outside the vehicle, the vehicle-mounted controller of the intelligent vehicle of the present embodiment of the present invention is the vehicle-mounted control device of the upgrade file during in-vehicle transmission. To ensure validity, the upgrade file is divided into blocks and MAC processing is performed in the vehicle. In addition, the vehicle-mounted equipment to be upgraded can receive and inspect blocks of upgrade files, allowing quick identification of errors. In addition, the computational complexity of MAC inspection is relatively low. Therefore, it can be guaranteed that inspection and upgrade are relatively easy for the equipment mounted on the vehicle to be upgraded, which has a relatively weak upgrade capacity in the vehicle. In this way, the efficiency and security of vehicle upgrades are guaranteed.

According to a third aspect, one embodiment of the present invention provides a vehicle-mounted device upgrade method, wherein the vehicle-mounted device upgrade method is:
Target Upgrade The target vehicle-mounted device is the step of receiving the target upgrade file sent by the vehicle-mounted controller, and the target upgrade file has been successfully verified for security by the vehicle-mounted controller, at least the target upgrade. It may include steps, which are upgrade files used to upgrade the target vehicle-mounted equipment, and steps in which the target vehicle-mounted equipment performs a secure upgrade using the target upgrade file. In the present embodiment of the present invention, the target upgrade target vehicle-mounted device receives the upgrade file whose security verification process has already been performed on the vehicle-mounted control device side, and the upgrade target vehicle-mounted device having a different upgrade capability is secured. Equipment upgrades can be performed using upgrade files to prevent them from being involved in the verification process, which allows the vehicle-mounted equipment to be upgraded to be upgraded securely and efficiently using the vehicle-mounted upgrade package. Guaranteed.

In one possible embodiment, the step in which the target vehicle-mounted device performs a secure upgrade using the target upgrade file is that the target upgrade target vehicle-mounted device uses the A / B system update upgrade mode. A step in which a secure upgrade is performed using the target upgrade file, and the equipment to be upgraded has its resource storage capacity and / or processing capacity exceeding the preset value. Includes Step, which is the first upgrade target vehicle-mounted device specified in. A / B system update upgrade mode may be used for upgrades on relatively strong capacity vehicle-mounted equipment.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles, and the step in which the target upgrade target vehicle-mounted device receives the target upgrade file sent by the vehicle-mounted controller is the target upgrade target vehicle-mounted device. A step in which the device sequentially receives multiple data blocks transmitted by a vehicle-mounted controller that carry a first MAC, with multiple data blocks using multiple upgrade subs using a preset algorithm. Multiple interrelated data blocks generated from a file, the first MAC is the message authentication code for multiple data blocks generated using the second key, and the second key is the symmetric key. The steps that the target vehicle-mounted device performs a secure upgrade using the target upgrade file, including steps, are based on a preset algorithm that the target upgrade target vehicle-mounted device uses a second key. A step of sequentially validating multiple data blocks and a step of combining the multiple data blocks that have been sequentially verified for the upgrade when all of the multiple data blocks are verified. And, including. In other words, during the transmission of the vehicle-mounted upgrade package between vehicle-mounted equipment, the upgrade file is split into multiple related data blocks using a preset algorithm and MAC processing is performed on those related data blocks. As such, the vehicle-mounted controller divides the complete upgrade file into multiple data blocks that can be transmitted separately and validated against them separately. In addition, since multiple data blocks are associated, a data block with a security problem can be quickly identified using a related algorithm. Therefore, the computational workload and computational complexity per unit time of the upgraded vehicle-mounted equipment with relatively weak capacity is reduced. After an upgrade file transmission error occurs, the error can be found as quickly as possible, so only the error is required to be resent, not the entire upgrade file. In this way, secure and efficient upgrades of vehicle-mounted equipment are further guaranteed.

In one possible embodiment, multiple upgrade subfiles were encrypted using a third key, and when all multiple data blocks were validated, the target vehicle-mounted equipment was validated in sequence. The step of combining multiple data blocks for upgrade is that once all of the data blocks have been validated, the target vehicle-mounted equipment will have multiple sequential validated data blocks using a third key. Includes the steps of decrypting each of the, and combining multiple decrypted data blocks for upgrade using a third key. The validity of the vehicle-mounted upgrade package is guaranteed, while the confidentiality of the vehicle-mounted upgrade package is further guaranteed, thereby preventing the vehicle-mounted upgrade package from being obtained by an unauthorized person.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles, and the step in which the target upgrade target vehicle-mounted device receives the target upgrade file sent by the vehicle-mounted controller is the target upgrade target vehicle-mounted device. A step in which the device sequentially receives multiple data blocks transmitted by a vehicle-mounted controller that carry a second MAC, with multiple data blocks using multiple upgrade subs using a preset algorithm. Multiple interrelated data blocks generated from a file, the second MAC is the message authentication code for multiple data blocks generated using the fifth key, and the fifth key is the symmetric key. The steps that the target vehicle-mounted device performs a secure upgrade using the target upgrade file, including steps, are based on a preset algorithm that the target upgrade target vehicle-mounted device uses a fifth key. A step of sequentially validating multiple data blocks and a step of combining the multiple data blocks that have been sequentially verified for the upgrade when all of the multiple data blocks are verified. And, including. In other words, block transmission and signing of vehicle-mounted upgrade packages can be performed by the upgrade developer. That is, the data block is acquired and signed by partitioning using a preset algorithm before it is acquired by the vehicle-mounted controller. In this case, the vehicle-mounted device must first check the validity of the data block, and then perform MAC processing on the checked data block. In this way, the validity of the vehicle-mounted upgrade file in the in-vehicle transmission process is guaranteed, while the computational workload and computational complexity of the vehicle-mounted equipment to be upgraded is reduced. Therefore, vehicle-mounted equipment is upgraded securely and efficiently.

In one possible embodiment, the method is a step in which the vehicle-mounted device subject to target upgrade reacquires the target data block from the vehicle-mounted controller, where the target data block is a target upgrade within the plurality of data blocks. It also includes steps, which are data blocks whose verification failed in the target vehicle-mounted equipment. Based on the transmission of the relevant block, the data block whose verification failed can be quickly identified, and in the event of such a transmission error, only the corresponding data block, not the entire upgrade file, needs to be reclaimed. Well, it reduces overhead, improves upgrade efficiency, and guarantees upgrade security.

According to a fourth aspect, the present application provides a vehicle-mounted equipment upgrade device. The vehicle-mounted equipment upgrade device has a function of implementing any one of the vehicle-mounted equipment upgrade method embodiments described above. This function may be performed by using the hardware or by running the corresponding software on the hardware. Hardware or software contains one or more modules that correspond to a function.

According to a fifth aspect, the present application provides a vehicle-mounted device to be upgraded. The terminal device has a function of implementing any one of the vehicle-mounted device upgrade method embodiments described above. This function may be performed by using the hardware or by running the corresponding software on the hardware. Hardware or software contains one or more modules that correspond to a function.

According to a sixth aspect, the present application provides a vehicle-mounted control device. The vehicle-mounted controller includes a processor, which is configured to assist the vehicle-mounted controller in performing the corresponding functions in the vehicle-mounted equipment upgrade method provided in the first aspect. The vehicle-mounted controller may further include a memory, which is configured to be coupled to a processor to store program instructions and data required by the vehicle-mounted controller. The vehicle-mounted controller may further include a communication interface for communication between the vehicle-mounted controller and another device or communication network.

According to a seventh aspect, the present application provides vehicle-mounted equipment subject to target upgrade. The target upgrade target vehicle-mounted equipment includes a processor, which is configured to assist the target upgrade target vehicle-mounted equipment in performing the corresponding functions in the vehicle-mounted equipment upgrade method provided in the third aspect. The target upgrade target vehicle-mounted device may further include memory, which is configured to be coupled to a processor to store program instructions and data required for the target upgrade target vehicle-mounted device. The target upgrade target vehicle-mounted device may further include a communication interface for communication between the target upgrade target vehicle-mounted device and another device or communication network.

According to an eighth aspect, the present application provides a computer storage medium configured to store computer software instructions used by the vehicle-mounted controller provided in the sixth aspect. Computer software instructions include programs designed to implement the aforementioned embodiments.

According to a ninth aspect, the present application provides a computer storage medium configured to store computer software instructions used by the target upgrade target vehicle-mounted device provided in the seventh aspect. Computer software instructions include programs designed to implement the aforementioned embodiments.

According to a tenth aspect, one embodiment of the present invention provides a computer program. The computer program includes instructions, and when the computer program is executed by the computer, the computer will be able to perform the steps of the vehicle-mounted equipment upgrade method in any possible embodiment of the first aspect.

According to an eleventh aspect, one embodiment of the present invention provides a computer program. The computer program includes instructions, and when the computer program is executed by the computer, the computer will be able to perform the steps of the vehicle-mounted equipment upgrade method in any possible embodiment of the third aspect.

According to a twelfth aspect, the present application provides a chip system. The chip system assists a target upgrade target vehicle-mounted device or vehicle-mounted controller when performing functions related to the aforementioned aspects, eg, when receiving or processing data and / or information in the manner described above. Includes a processor configured to. In one possible design, the chip system further includes memory, which is configured to store program instructions and data required for the target upgrade target vehicle-mounted device or vehicle-mounted controller. The chip system may include a chip, or it may include a chip and another discrete device.

It is a figure of the vehicle-mounted system upgrade architecture by one Embodiment of this invention. It is a schematic structural drawing of OTA Orchestrator by one Embodiment of this invention. It is a schematic structural drawing of the equipment mounted on the vehicle to be upgraded by one Embodiment of this invention. It is a figure of another vehicle-mounted system upgrade architecture by one Embodiment of this invention. It is a schematic flow chart of the vehicle-mounted equipment upgrade method by one Embodiment of this invention. It is a schematic structural drawing of the vehicle-mounted upgrade device by one Embodiment of this invention. It is a schematic structural drawing of the vehicle-mounted device to be upgraded by one Embodiment of this invention. It is a schematic structural drawing of the apparatus by one Embodiment of this invention. It is a schematic structural drawing of the intelligent vehicle by one Embodiment of this invention.

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings in the embodiments of the present invention.

In the specification of the present application, the scope of claims and the accompanying drawings, terms such as "1st", "2nd", "3rd" and "4th" are used to distinguish different objects. , Does not indicate a specific order. In addition, "including" and "having" and any other variations thereof are intended to include non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the described steps or units, but optionally further includes or optionally includes undescribed steps or units. And further includes another unique step or unit of the process, method, product, or equipment.

As used herein by reference, it means that a particular property, structure, or feature described with reference to that embodiment may be included in at least one embodiment of the present application. The terms used in various parts of the specification do not necessarily refer to the same embodiment and are not independent or optional embodiments that exclude another embodiment. It will be appreciated by those skilled in the art, both explicitly and implicitly, that the embodiments described herein can be combined with other embodiments.

As used herein, terms such as "component," "module," and "system" refer to computer-related entities, hardware, firmware, hardware-to-software combinations, software, or software running. Used to indicate. For example, components can be, but are not limited to, processes, processors, objects, executable files, threads of execution, programs, and / or computers running on the processor. As shown in each figure, both the computing device and the application running on the computing device can be components. There may be one or more components within the process and / or execution thread, the components may be located on one computer and / or distributed among at least two computers. May be good. In addition, these components may be executed from various computer-readable media that store various data structures. For example, a component may be another configuration over a network, such as the Internet, where one or more data packets (eg, local systems, distributed systems, and / or signals are used to interact with other systems. It can communicate using local and / or remote processes based on signals that have data from two components that interact with the element.

First, some terms in this application will be described for ease of understanding by those skilled in the art.

(1). Wireless technology (Over-the-air Technology, OTA) is a technology for performing remote firmware or software upgrades via an air interface in mobile communications.

(2). Vehicle-mounted information services (Telematics) is a compound term of telecommunications and informatics, computer systems, wireless communication technologies, and satellites embedded in vehicles such as automobiles, aircraft, ships, or trains. It can be literally defined as a navigation device, or a service system that provides information using Internet technology for exchanging information such as text and voice. In short, the service system uses a wireless network to connect the vehicle to the Internet and provide the vehicle owner with a variety of information necessary for driving and living.

(3). An electronic control unit (ECU) is a vehicle-specific microcontroller from the viewpoint of use. Like a typical computer, electronic control units include a microprocessor (CPU), memory (ROM, RAM), input / output interface (I / O), analog-to-digital converter (A / D), shaper, and Includes large scale integrated circuits such as drives.

(Four). A vehicle control unit (VCU) can also be referred to as an integrated electric vehicle controller. The VCU is the overall controller of the electric vehicle powertrain and is responsible for coordinating the operation of parts such as the engine, drive motor, gearbox and power battery, improving vehicle power performance, safety performance and economic efficiency. Has the function of The VCU is the core of an integrated electric vehicle control system and is configured to control the start, operation, forward and backward, speed, and stop of the electric vehicle motor and control other electrical equipment in the electric vehicle. It is a core controller. As the core of a pure electric vehicle control system, the VCU is responsible for tasks such as data exchange, safety management, driver intent interpretation, and power stream management. The VCU collects motor control system signals, accelerator pedal signals, brake pedal signals, and signals of other components, performs a comprehensive analysis, and then determines and responds to the driver's driving intentions. Monitor the operation of the lower layer component controller. VCUs play important roles in functions such as normal vehicle driving, battery power braking and regeneration, network management, failure diagnosis and processing, and vehicle status monitoring.

(6). The Controller Area Network (CAN) bus is the most widely applied fieldbus in the world. The reliability and powerful error detection capability of the CAN bus has received a lot of attention, so the CAN bus is widely applied to vehicle computer control systems as well as industrial environments with hash ambient temperatures, strong electromagnetic radiation, and violent vibrations. Has been done. The CAN bus is a widely applied fieldbus and has great application prospects in fields such as industrial measurement and control and industrial automation. CAN is a serial communication bus network. The CAN bus has the advantages of reliability, real-time, and flexibility in data communication. For transparent design and flexible execution, the structure of the CAN bus is in the physical layer and data link layer (including the logical link control LLC sublayer and the medium access control MAC sublayer) according to the ISO / OSI standard model. It is divided.

(7). A message authentication code (MAC) is an encoding function for a signal source. The MAC is similar to the digest algorithm, but the key must be used during the calculation, so the MAC depends on both the key used and the information on which the MAC needs to be calculated. In practice, the MAC is usually obtained by construction based on the digest algorithm.

(8). A key derivation function (KDF) is a key derivation function used during encryption and decryption. The function of the key derivation function is to derive the key data from the shared secret bit serial port. During key negotiation, the key derivation function acts on the secret bitstring obtained in the key exchange to generate the required session key or key data required for further encryption.

(9). Public-key cryptography (asymmetric cryptography): Public-key cryptography is also called asymmetric cryptography. The asymmetric key algorithm means that the encryption key of the encryption algorithm is different from the decryption key of the encryption algorithm, or one key of the encryption algorithm cannot be estimated using the other key. A user with public key cryptography has an encryption key and a decryption key, and cannot obtain the decryption key using the encryption key. In addition, the encryption key is public. Based on this principle, public key cryptography is designed to use support information (trapdoor information) as a private key. The security of this type of cipher depends on the computational complexity of the problems underlying this type of cipher. Currently, common public key cryptography includes RSA public key cryptography, ElGamal public key cryptography, and elliptic curve cryptography.

(Ten). Symmetrical encryption: Symmetrical key encryption is also called dedicated key encryption. Specifically, the data transmitting side and the data receiving side always use the same key to perform the encryption operation and the decryption operation on the plaintext. That is, the encryption key can be inferred from the decryption key and vice versa. In most symmetric algorithms, the encryption key is the same as the decryption key. These algorithms, also called private key algorithms or single key algorithms, require the sender and receiver to consent to the key prior to secure communication. The security of the symmetric algorithm depends on the key, and a key leak means that anyone can encrypt and decrypt the message. The key needs to be kept confidential if the communication requires confidentiality.

From the above description of the symmetric key algorithm and the asymmetric key algorithm, the following can be seen. The same key is used for both symmetric key encryption and symmetric key decryption, or it is easy to infer the decryption key from the encryption key. In addition, symmetric key algorithms have features such as easy encryption, fast encryption and decryption, relatively short keys, and a long history of development, while asymmetric key algorithms have encryption and decryption. It is characterized by slowness, long keys, and a short development history.

(11). The Transport Layer Security (TLS) protocol is used to provide confidentiality and data integrity between two application programs. The protocol includes two layers, the TLS Record protocol and the TLS Handshake protocol. The Transport Layer Security (TLS) protocol is used to provide confidentiality and data integrity between two communication application programs.

First, the technical problems and application scenarios that need to be resolved in this application are shown. In the prior art, traditional vehicle-mounted equipment is reclaimed for firmware / software upgrades. Specifically, the vehicle, such as an auto repair shop or 4S store, to upgrade the firmware / software using the following methods, the specific embodiments of which are Solution 1 and Solution 2 below. It will be collected at the designated place.

Solution 1: Use the Joint Test Action Group (JTAG) interface or the Background Debugging Mode (BDM) interface to write online or after the vehicle-mounted equipment has been disassembled. Do. Specifically, method 1 and method 2 may be included.

Method 1: First, use a personal computer (PC) to download the software to be upgraded to the programmer, connect the programmer to the programming equipment, and then connect the programmer to the programming equipment with the Printed Circuit Board of the vehicle electronic control system. Place the PCB) to align the printed circuit board with the download interface, and finally turn on the programmer and write the software.

Method 2: Program download for PC and single-chip microcomputer Connect the data line in series with the PCB of the vehicle electronic control system and operate the PC to download the program directly to the single-chip microcomputer.

The above-mentioned methods 1 and 2 have problems that they require a skilled person, are expensive, and are very inconvenient to operate.

Solution 2: Perform flash writing based on CAN bus on-board diagnostics (OBD).

step 1. Enters refresh mode from the normal application program operating state of the vehicle electronics system (triggers an interrupt or diagnostic).

Step 2. Inspect the memory of the vehicle electronic controller chip to determine if the memory contains the correct application program.

Step 3. If the correct application program is not in memory, download the application program software from the diagnostic device, transmit the application program software over the CAN bus, and refresh the application program in Flash (refresh module starts and guides software writing). Is configured as).

Solution 2 has the problem of requiring skill and a long cycle.

In addition to Solution 1 and Solution 2 above, remote upgrades are currently being implemented on some vehicles. However, remote upgrades are generally performed primarily on vehicle-mounted equipment with relatively high computational power and relatively large storage space. In other words, it is currently not possible to provide a secure and efficient firmware / software upgrade method for vehicle-mounted equipment with relatively weak computing power or relatively small storage space. Therefore, how to perform secure and efficient firmware / software upgrades for upgradeable vehicle-mounted equipment with various upgrade capabilities within the vehicle-mounted system needs to be resolved in practice in this application. It's a technical issue.

In order to facilitate the understanding of the embodiments of the present invention, the vehicle-mounted upgrade system architecture applied to the embodiments of the present invention will first be described below based on the above description. FIG. 1 is a diagram of a vehicle-mounted system upgrade architecture (abbreviated as architecture 1) according to an embodiment of the present invention. The vehicle-mounted equipment upgrade method provided in this application may be applied to this system architecture. The system architecture includes an upgrade server, a vehicle-mounted controller, and multiple upgraded vehicle-mounted devices such as HMI (human-machine interface), BMS (battery management system), ECU1, and ECU2. The vehicle-mounted controller may include a Telematics unit and an OTA Orchestrator unit that are configured to manage and assist the upgrade process of multiple upgraded vehicle-mounted equipment. In this system architecture, remote upgrade of vehicle-mounted equipment may include the basic processes of releasing an upgrade package, obtaining an upgrade package, transmitting the upgrade package in-vehicle, and upgrading and verifying.

The upgrade server is configured to get an unencrypted vehicle-mounted upgrade package from the developer.

Telematics within the vehicle-mounted controller is responsible for communicating with the outside world. In this application, Telematics is an upgrade server for performing the task of obtaining a vehicle-mounted upgrade package and performing some actions to transmit the vehicle-mounted upgrade package (sending the vehicle-mounted upgrade package to OTA Orchestrator). And is responsible for communication with the key server.

The OTA Orchestrator in the vehicle-mounted controller is responsible for communicating with the vehicle-mounted equipment to be upgraded in the vehicle. In this application, the vehicle-mounted upgrade package passes through Telematics and management units / modules and finally reaches the target vehicle-mounted equipment for upgrade. The main function of OTA Orchestrator is to manage and assist the upgrade process of vehicle-mounted equipment. Specifically, the OTA Orchestrator must have the following features: Key distribution and management, OTA process management, and support for other low-capacity vehicle-mounted equipment for operations that require heavy computational workloads: A backup node for another vehicle-mounted device to be upgraded that is less capable for verifying the integrity and authenticity of the upgrade package, for example, for transcoding, and rollback in the event of an upgrade failure. To play the role of. OTA Orchestrator is a logical entity that can be physically placed on any powerful unit or module such as Telematics, Gateway, or VCU. The structure of the OTA Orchestrator can be shown in Figure 2. FIG. 2 is a schematic structural diagram of an OTA Orchestrator according to an embodiment of the present invention. The OTA Orchestrator includes a processor CPU, associated volatile memory RAM, associated non-volatile memory ROM, and a secure storage device configured to store keys, such as static keys shared with vehicle-mounted equipment. obtain. The OTA Orchestrator also includes memory configured to store the OTA management program, which is used to manage the upgrade process and is mounted on another vehicle via CAN bus or another in-vehicle network. It also includes a network interface that can communicate with the device. When OTA Orchestrator is implemented on Telematics, it can be seen that OTA Orchestrator needs more network interfaces to communicate with external networks. That is, the OTA Orchestrator must have relatively powerful computing power and relatively large resources to help the vehicle-mounted equipment complete the remote upgrade and be trusted by another vehicle-mounted equipment. is there. Regarding the logical architecture division, OTA Orchestrator divides the architecture into an out-of-vehicle communication part and an in-vehicle communication part. The equipment inside the vehicle only needs to perform a symmetric cryptographic operation instead of a public key cryptographic operation. When public key operations need to be performed, they are assigned to OTA Orchestrator to reduce the computational workload and computational complexity of the equipment to be upgraded in the vehicle.

For the equipment mounted on the vehicle to be upgraded, the configuration of any one of the equipment mounted on the vehicle to be upgraded may be shown in FIG. FIG. 3 is a schematic structural diagram of a vehicle-mounted device to be upgraded according to an embodiment of the present invention. Vehicle-mounted equipment to be upgraded may include a microcontroller (Micro controller), a CAN controller (CAN controller), and a transceiver (Transceiver). Vehicle-mounted equipment to be upgraded uses the transceiver Transceiver to communicate with the in-vehicle network such as CAN bus. The CAN controller is configured to perform the CAN protocol and the microcontroller is configured to perform the relevant computational processing before and after the upgrade. For example, the microcontroller may implement the vehicle-mounted equipment upgrade method performed by the vehicle-mounted equipment to be upgraded in this application. With reference to the schematic structure above, in this application, the target upgrade target vehicle-mounted equipment was transmitted by the vehicle-mounted controller based on an in-vehicle network such as CAN bus using a transmitter / receiver (Transceiver). Receive the target upgrade file and use the target upgrade file and the Micro Controller to perform a secure upgrade. For more specific functions, refer to the description of the functions related to the equipment mounted on the vehicle to be upgraded in the subsequent embodiments.

From the schematic structural drawing of the equipment mounted on the vehicle to be upgraded, it can be seen that the CAN bus is commonly used in current vehicles, but the CAN bus affects the bandwidth. Therefore, in some upgrade scenarios, remote upgrade of vehicle-mounted equipment firmware / software cannot achieve maximum upgrade efficiency.

FIG. 4 is a diagram of another vehicle-mounted system upgrade architecture (abbreviated as architecture 2) according to one embodiment of the present invention. Unlike the system upgrade architecture shown in Figure 1, this vehicle-mounted system upgrade architecture also includes a key server.

The upgrade server is configured to obtain a developer-encrypted vehicle-mounted upgrade package from the developer.

The key server obtains the key from the developer over a secure channel, stores the key, and finally provides the key to the vehicle-mounted controller when the vehicle-mounted upgrade package is encrypted by the developer. It is configured as follows.

For other aspects, such as the specific functionality of the vehicle-mounted controller and multiple upgradeable vehicle-mounted equipment, it is understandable to refer to the description of functional entities or units in the vehicle-mounted system upgrade architecture corresponding to Figure 1. Yeah. The details are not repeated here.

It will be further understood that the vehicle-mounted system upgrade architecture of this application may include more developers. After developing and testing the upgrade program (firmware / software), the developer distributes the vehicle-mounted upgrade package to the upgrade server. The distributed vehicle-mounted upgrade package must be signed using a digital signature. Optionally, the vehicle-mounted upgrade package may be further encrypted before being signed using a digital signature. If the vehicle-mounted upgrade package is not encrypted, the architecture is the system architecture in Figure 1, and if the vehicle-mounted upgrade package is encrypted, the architecture is the system architecture in Figure 2. Corresponding embodiments will be described in detail below.

It should be noted that the vehicle-mounted system upgrade architectures of FIGS. 1 and 2 are only two examples of embodiments of the embodiments of the present invention. The communication system architecture of the embodiment of the present invention includes, but is not limited to, the system architecture described above.

In the following, the technical problems presented in this application will be specifically analyzed and resolved using embodiments of the vehicle-mounted equipment upgrade method provided in this application.

FIG. 5 is a schematic flow chart of a vehicle-mounted device upgrade method according to an embodiment of the present invention. The method may be applied to the vehicle-mounted system upgrade architecture of Figure 1 or Figure 4. With reference to FIG. 5, this method will be described below from the viewpoint of interaction between the vehicle-mounted control device and the target-mounted vehicle-mounted device. The method may include steps S501 through S505.

Step S501. Vehicle-mounted controller acquires vehicle-mounted upgrade package.

Step S502. The vehicle-mounted controller performs security verification on multiple upgrade files.

Step S503. The vehicle-mounted controller sends a target upgrade file to the target vehicle-mounted equipment that should be upgraded using the target upgrade file, and the target upgrade file is an upgrade file whose security verification is successful in multiple upgrade files. Is.

Step S504. The target vehicle-mounted device receives the target upgrade file sent by the vehicle-mounted controller, and the target upgrade file upgrades the upgraded vehicle-mounted device for which the security verification performed by the vehicle-mounted controller was successful. The upgrade file used to do this.

Step S505. Target upgrade target vehicle-mounted equipment uses the target upgrade file to perform a secure upgrade.

Specifically, the vehicle-mounted upgrade package contains multiple upgrade files, each upgrade file used to upgrade at least one vehicle-mounted equipment to be upgraded. In other words, one vehicle-mounted device to be upgraded in the vehicle-mounted system may support one or more upgrade files.

The vehicle-mounted upgrade package is released before the vehicle-mounted controller performs step S501. Generally, after the development and testing of an upgrade program, the developer of the vehicle-mounted upgrade package (firmware / software) distributes the vehicle-mounted upgrade package to the upgrade server. In one possible embodiment, the vehicle-mounted upgrade package includes a first digital signature. Assume that the vehicle-mounted upgrade package is M and the version information is ver (eg, all metadata information such as program name, new version number, and old version number). In the present embodiment of the present invention, as shown in FIG. 6, when the vehicle-mounted upgrade package is released, the developer digitally signs the upgrade package or the upgrade server digitally signs the upgrade package. A signing method may be provided. FIG. 6 is a schematic representation of two types of digital signatures according to an embodiment of the present invention. Cases 1 and 2 are included.

Case 1: σ = Sign _D (M || ver) indicates that the developer digitally signs M || ver and serves as the first digital signature of the present application.

Case 2: σ = Sign _S (M || ver) indicates that the upgrade server digitally signs M || ver and serves as the first digital signature of the present application.

The digital signature algorithm used in the above two signature methods is not particularly limited in this application. Optionally, a secure channel may be established between the developer and the upgrade server to transfer information, and the secure channel can be a network channel or a physical channel such as registered mail. .. In conclusion, when the vehicle-mounted upgrade package is released, the upgrade server updates the vehicle-mounted upgrade package [M, ver, σ] and releases information about the updated or new vehicle-mounted upgrade package to the outside world. ..

The present application provides two vehicle-mounted system upgrade architectures, namely Architecture 1 without a key server shown in FIG. 1 and Architecture 2 with a key server shown in FIG.

In Architecture 1, vehicle-mounted upgrade packages are not encrypted. The upgrade server must authenticate to the vehicle-mounted controller's identity, establish a secure channel to the vehicle-mounted controller after successful authentication, and obtain the vehicle-mounted upgrade package through the secure channel. is there. This process is the process by which the OTA Orchestrator in the vehicle-mounted controller uses the Telematics unit to obtain the upgrade package from the upgrade server.

Specifically, the vehicle-mounted control device transmits the identification authentication information to the upgrade server. If the identity credentials are authenticated by the upgrade server, a secure channel is established between the vehicle-mounted controller and the upgrade server, and the vehicle-mounted controller is required to upgrade from the upgrade server over the secure channel. Get a vehicle-mounted upgrade package.

In one specific embodiment, the OTA Orchestrator queries the upgrade server or the upgrade server pushes an update message to the OTA Orchestrator. Specifically, the upgrade package can be obtained in the following steps.

1. 1. OTA Orchestrator OTA Orchestrator acquires the current version information of the equipment installed in the target upgrade target vehicle. This information can be obtained by querying the target vehicle-mounted equipment or by querying the database maintained by the OTA Orchestrator (OTA Orchestrator maintains basic firmware / software information for all vehicle-mounted equipment. (Assuming that).

2. OTA Orchestrator decides if an upgrade is needed. If an upgrade is required, OTA Orchestrator may choose to ask the vehicle owner if it will be upgraded. If the vehicle owner agrees, the upgrade will begin.

3. 3. OTA Orchestrator initiates authentication to the upgrade server, establishes a secure channel to the upgrade server, and sends data packets over the secure channel.

Four. OTA Orchestrator reports the current version information of the vehicle-mounted equipment to the upgrade server, and if the upgrade server agrees, OTA Orchestrator downloads the upgrade package [M, ver, σ, {M'}]. M is a vehicle-mounted upgrade package, ver is version information, including all metadata information such as program name, new version number, and corresponding old version number, σ = Sign _D (M || ver) or σ = Sign _S (M || ver) is the first digital signature, M'represents the rollback file, and {M'} is optional for M'. , Indicates that the target vehicle-mounted device is valid only when it has a weak capacity.

Five. OTA Orchestrator verifies the authenticity of the first digital signature σ, and if the verification fails, OTA Orchestrator gives up the upgrade. Optional, and if necessary, OTA Orchestrator also validates against M'. It is assumed that M'also carries a digital signature.

In Architecture 2, vehicle-mounted upgrade packages are encrypted on the upgrade server. Therefore, it is not necessary to establish a dedicated secure channel between the vehicle-mounted controller and the upgrade server. In addition, after the vehicle-mounted controller validates the vehicle-mounted upgrade package using the first signature, the vehicle-mounted upgrade package still needs to be decrypted using the first key. In this embodiment, the upgrade file is encrypted by the developer. A further advantage of the developer encrypting the upgrade file is that the developer does not have to consider the reliability of the upgrade server. Therefore, the confidentiality of the upgrade file is further protected.

Specifically, the vehicle-mounted upgrade package is encrypted using the first key. The first key is a symmetric key. The vehicle-mounted controller obtains the first key from the key server. If the digital signature verification is successful after the vehicle-mounted controller performs digital signature verification on multiple upgrade files using the first digital signature, the vehicle-mounted controller uses the first key. To decrypt multiple upgrade files.

After developing and testing the upgrade program, the developer of the vehicle-mounted upgrade package (firmware / software) distributes the upgrade file to the upgrade server. This process corresponds to the architecture shown in Figure 4. Unlike architecture 1, this architecture requires an additional key server.

Assume that the upgrade file is M and ver represents version information, including all metadata (meta-data) information such as program name, new version number, and corresponding old version number. The developer chooses any key K (first key) and uses K to encrypt M, resulting in C = E (K, M). In the equation, E (K ,.) represents K-based encryption, for example group encryption.

As mentioned above, the first digital signature has two scenarios: the developer digitally signs the upgrade package, or the upgrade server digitally signs the upgrade package. In both cases, the developer must send the encrypted upgrade file key K to the key server over a secure channel, protecting the channel for transmitting the encrypted upgrade file. Does not need. A secret channel between the developer and the key server can be established using many methods, for example using TLS. This is not particularly limited in this application.

In one specific embodiment, this process is the process by which the OTA Orchestrator obtains the upgrade package from the upgrade server and the key from the key server to decrypt the upgrade software. Specifically, OTA Orchestrator begins this process after learning that there is a new upgrade package for vehicle-mounted equipment. The OTA Orchestrator can get the message by contacting the upgrade server, or the upgrade server pushes the information to the OTA Orchestrator. The upgrade package can be obtained by following the steps below.

1. 1. OTA Orchestrator acquires the current version information of the equipment installed in the target upgrade target vehicle. This information can be obtained by querying the target vehicle-mounted equipment or by querying the database maintained by the OTA Orchestrator (OTA Orchestrator maintains basic firmware / software information for all vehicle-mounted equipment. (Assuming that).

2. OTA Orchestrator decides if an upgrade is needed. If an upgrade is required, OTA Orchestrator may choose to ask the vehicle owner if it will be upgraded. If the vehicle owner agrees, the upgrade will begin.

3. 3. OTA Orchestrator downloads the upgrade package [C, ver, σ, {C'}] from the upgrade server. C'represents an encrypted file signed using a digital signature that should be used for rollback if the upgrade fails, and {C'} is the target upgrade target, where C'is optional. Note that it shows that it is only valid when the vehicle-mounted equipment is a weak equipment.

Four. OTA Orchestrator verifies the authenticity of σ (ie, verifies the authenticity of the first digital signature), and if the verification fails, OTA Orchestrator gives up the upgrade. If necessary, OTA Orchestrator will also verify C'.

Five. OTA Orchestrator initiates authentication to the key server, establishes a secure channel to the key server, and obtains the upgrade package decryption key K (ie, the first key) over the secure channel. If necessary, OTA Orchestrator also needs to obtain a decryption key to decrypt C'.

6. OTA Orchestrator decrypts C using K to get the upgrade file M, and if necessary, OTA Orchestrator M'(M'is used for rollback when the upgrade fails) You also need to decipher C'to get.

In one possible embodiment, if the confidentiality of the upgrade file also needs to be protected, after obtaining the upgrade package, OTA Orchestrator does not decrypt C and n parts of C: C ₁ , C. ₂ ,. .. .. , And C _n , then C ₁ , C ₂ , ... .. .. , And C _n are used in subsequent processing methods that are based on the Hash Chain, Hash Tree, and Bloom Filter. The OTA Orchestrator also needs to transfer the shared key K to the target vehicle-mounted device via a secret channel, so the target upgrade target vehicle-mounted device decrypts it.

In step S502, the vehicle-mounted controller needs to perform security verification on multiple upgrade files in the vehicle-mounted upgrade package obtained from the upgrade server. In one possible embodiment, the vehicle-mounted upgrade package contains a first digital signature, and the vehicle-mounted controller OTA Orchestrator uses the first digital signature to perform digital signature verification for multiple upgrade files. Do. Specifically, security verification (eg, credibility), unlike prior technology, in which the vehicle-mounted controller acquires the vehicle-mounted upgrade package and then the upgrade package is sent directly to the corresponding upgraded vehicle-mounted equipment for the upgrade. Sex verification) is first performed on the vehicle-mounted controller for multiple upgrade files in the vehicle-mounted upgrade package, and the upgrade files that have been successfully verified for security are then transcoded and code-translated. The file is sent to the corresponding upgraded vehicle-mounted device for a secure upgrade. The code conversion of the present application uses an algorithm (Hash Chain algorithm, Hash Tree algorithm, or Bloom Filter algorithm) to perform hash association processing for each of the plurality of upgrade subfiles obtained by division. To imply that MAC processing is done on one or more nodes in a hash chain, hash tree, or Bloom filter to further implement secure data package segment transmission applicable to the in-vehicle network. Please note. In this way, the large number of security verification operations that need to be performed by the vehicle-mounted equipment to be upgraded are reduced. In other words, it reduces the computational workload, computational complexity, etc. during security verification performed by a single upgrade target vehicle-mounted device.

In step S503, different vehicle-mounted equipment to be upgraded may only support some upgrade files in the vehicle-mounted upgrade package. Therefore, the vehicle-mounted controller needs to send the successfully verified target upgrade file in the multiple upgrade files to the target upgrade target vehicle-mounted device to be upgraded using the target upgrade file. It can be seen that the size and content of the upgrade subfiles in the target upgrade file can vary.

In one possible embodiment, the vehicle-mounted controller splits the target upgrade file into multiple upgrade subfiles (which may also be understood as multiple segments) and uses a preset algorithm from multiple upgrade subfiles. Multiple interrelated data blocks are generated, the second key is used to generate the first message authentication code MAC for the multiple data blocks, and the first MAC is carried to the target vehicle-mounted device. Data blocks of are transmitted in sequence. The second key is the symmetric algorithm key.

Specifically, during the transmission of the vehicle-mounted upgrade package between vehicle-mounted equipment, the vehicle-mounted controller uses a preset algorithm to divide the upgrade file into multiple related data blocks into related data blocks. On the other hand, the MAC processing is performed, so that the vehicle-mounted controller divides the complete upgrade file into a plurality of data blocks that can be transmitted separately and validated separately. In addition, since multiple data blocks are associated, a data block with a security problem can be quickly identified using a related algorithm. The preset algorithms include one of the Hash Chain algorithm, the Hash Tree algorithm, and the Bloom Filter algorithm. In this application, the vehicle-mounted controller divides the target upgrade file into multiple upgrade subfiles in order to avoid sending the target upgrade file to the vehicle-mounted equipment to be upgraded at once. Can receive and process upgrade subfiles separately. Therefore, "sequentially" in this application may include "sequentially" or "multiple upgrade subfiles after another plurality of upgrade subfiles", eg, two upgrade subfiles first transmitted. , Then can be instructed to send two other upgrade subfiles, etc., or one upgrade subfile first, then two other upgrade subfiles, etc. Can be done. That is, the vehicle-mounted controller only needs to divide the target upgrade file into a plurality of upgrade subfiles and send the upgrade subfiles to the vehicle-mounted equipment to be upgraded in batch. The specific method of dividing the target upgrade file and sequentially transmitting the upgrade subfile to the equipment mounted on the vehicle to be upgraded is not particularly limited in this application. In this application, the OTA Orchestrator deployed to solve the problems of weak vehicle-mounted equipment, insufficient storage resources, and limited in-vehicle network bandwidth is a vehicle-mounted upgrade package. Can be transcoded. OTA Orchestrator's code conversion function eliminates the need for vehicle-mounted equipment to perform public key cryptography, which reduces the workload of vehicle-mounted equipment. Therefore, the computational workload and computational complexity per unit time of the upgraded vehicle-mounted equipment with relatively weak capacity is reduced. In addition, after an upgrade file transmission error occurs, the error can be found as quickly as possible, so only the error is required to be retransmitted, not the entire upgrade file. In this way, secure and efficient upgrades of vehicle-mounted equipment are further guaranteed.

In one possible embodiment, the vehicle-mounted controller splits the target upgrade file into multiple upgrade subfiles and encrypts the multiple upgrade subfiles (to ensure confidentiality) (guarantees authenticity). (For) code-converted, encrypted and code-converted upgrade subfiles are sent sequentially to the target vehicle-mounted equipment. Specifically, the vehicle-mounted controller encrypted each of the multiple upgrade subfiles using a third key and encrypted using a third key using a preset algorithm. Multiple interrelated data blocks are generated from multiple upgrade subfiles, and multiple data blocks carrying the first MAC are sequentially transmitted to the target vehicle-mounted device to be upgraded. In other words, in the present embodiment of the present invention, the vehicle-mounted control unit needs to encrypt the plurality of upgrade subfiles before the code conversion in order to guarantee the confidentiality of the plurality of upgrade subfiles, and then the plurality of upgrade subfiles must be encrypted. It differs from the above-described embodiment of the present invention in that the encrypted upgrade subfile is code-converted.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles, multiple upgrade subfiles are used to generate multiple interrelated data blocks from multiple upgrade subfiles, and multiple upgrade subfiles Carrying the second digital signature of multiple data blocks generated using the fourth key, the fourth key is an asymmetric key, and the vehicle-mounted controller is the second digital of multiple data blocks. Checking the signature, the vehicle-mounted controller uses a fifth key to generate a second MAC for multiple data blocks, the fifth key is a symmetric algorithm key, and the vehicle-mounted controller is the target. A plurality of data blocks carrying the second MAC are sequentially transmitted to the equipment mounted on the vehicle to be upgraded. In other words, block transmission and signing of vehicle-mounted upgrade packages can be performed by the upgrade developer. That is, the data block is acquired and signed by partitioning using a preset algorithm before it is acquired by the vehicle-mounted controller. In this case, the vehicle-mounted device must first check the validity of the data block, and then perform MAC processing on the checked data block. The computational workload and computational complexity of MAC inspection is much less than that of signatures. Therefore, the validity of the vehicle-mounted upgrade file in the in-vehicle transmission process can be guaranteed, and at the same time, the computational workload and computational complexity of the vehicle-mounted equipment to be upgraded can be reduced. Therefore, vehicle-mounted equipment is upgraded securely and efficiently.

In step S504, the target upgrade target vehicle-mounted device receives the target upgrade file transmitted by the vehicle-mounted controller. The target upgrade file is an upgrade file used for at least the target vehicle-mounted equipment for which the security verification performed by the vehicle-mounted controller has been successful. Specifically, this process is the process of secure transmission of the vehicle-mounted package within the vehicle.

In step S505, the target upgrade target vehicle-mounted equipment performs a secure upgrade using the target upgrade file. In one possible embodiment, the equipment to be upgraded is the first vehicle-mounted equipment to be upgraded whose resource storage capacity and / or processing capacity exceeds the preset value, or the first pre-specified upgrade target. A / B System Updates upgrade mode is the target vehicle for vehicle-mounted equipment, for example, equipment with relatively strong processing power or memory capacity, or designated equipment. Used for on-board equipment. Specifically, the target upgrade target vehicle-mounted device has area A and area B, the upgrade target program (firmware or software) is executed in area A, a new upgrade program is written in area B, and the program is upgraded. Is executed in area B after the completion of. This does not affect the normal operation of older version systems during the vehicle-mounted upgrade process. For example, strong or major equipment uses the A / B system update upgrade method, and weak equipment uses OTA Orchestrator as a backup node to roll back if the upgrade fails. When the upgrade is successful, the vehicle-mounted equipment will remove the upgrade package and notify OTA Orchestrator. OTA Orchestrator removes the upgrade package, updates the database and notifies the vehicle owner of a successful upgrade. Alternatively, OTA Orchestrator may choose to notify the upgrade server. In addition, OTA Orchestrator may further choose to instruct the target vehicle-mounted equipment to perform remote attestation to prove that the upgrade was successful.

In one possible embodiment, the target upgrade target vehicle-mounted device sequentially receives a plurality of data blocks transmitted by the vehicle-mounted controller carrying the first MAC. Multiple data blocks are multiple interrelated data blocks generated from multiple upgrade subfiles using a preset algorithm, and the first MAC is multiple generated using a second key. It is the message authentication code of the data block, and the second key is the symmetric key. In other words, the second key is the shared key. Therefore, it is only necessary to perform credibility verification using a simple symmetric key between the target upgrade target device and the vehicle-mounted control device. This reduces the computational workload and computational complexity of the target upgrade target equipment. In this way, even "weak" upgraded vehicle-mounted equipment with relatively weak computing power or relatively small storage space has a relatively low computational workload that may require a secure and efficient upgrade to compute. The complexity of is relatively low.

In one possible embodiment, the target upgrade target vehicle-mounted equipment uses a second key to sequentially validate multiple data blocks based on a preset algorithm, and all of the multiple data blocks are validated. The target vehicle-mounted device to be upgraded combines a plurality of sequentially verified data blocks for the upgrade. Specifically, after receiving multiple upgrade subfiles that are encrypted using a second key, code-translated using a preset algorithm, and sent by the vehicle-mounted controller, the target device to be upgraded. Must use the second key to inspect the first MAC and the associated values for multiple data blocks using the characteristics of the interrelated data blocks generated using the preset algorithm. Perform an inspection. After all data blocks have been decrypted and validated, that is, after all data blocks have been successfully validated, the target upgrade target device combines multiple upgrade subfiles into a complete file for the upgrade.

In one possible embodiment, multiple upgrade subfiles are encrypted using a third key, and once all of the multiple data blocks have been validated, the target vehicle-mounted device has a third key. Each of the multiple sequentially validated data blocks is decrypted using the target vehicle-mounted equipment to combine the decrypted data blocks using the third key for the upgrade. In other words, the present embodiment of the present invention requires that the target upgrade target vehicle-mounted device verifies the encrypted and code-translated upgrade subfiles before decrypting the plurality of verified upgrade subfiles. It differs from the above-described embodiment of the present invention in that it combines a plurality of upgrade subfiles for upgrade after successful decoding.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles, and the target upgrade target vehicle-mounted device sequentially carries multiple blocks of data transmitted by the vehicle-mounted controller that carry a second MAC. To receive. Multiple data blocks are multiple interrelated data blocks generated from multiple upgrade subfiles using a preset algorithm, and a second MAC is multiple data generated using a fifth key. The block's message authentication code, the fifth key is the symmetric algorithm. The target upgrade target vehicle-mounted device sequentially verifies multiple data blocks based on the preset algorithm using the fifth key, and when all of the multiple data blocks are verified, the target upgrade target vehicle-mounted device. Combines multiple sequentially validated data blocks for upgrade. In other words, block transmission and signing of vehicle-mounted upgrade packages can be performed by the upgrade developer. That is, the data block is acquired and signed by partitioning using a preset algorithm before it is acquired by the vehicle-mounted controller. In this case, the vehicle-mounted device must first check the validity of the data block, and then perform MAC processing on the checked data block. The computational workload and computational complexity of MAC inspection is much less than that of signatures. Therefore, the validity of the vehicle-mounted upgrade file in the in-vehicle transmission process can be guaranteed, and at the same time, the computational workload and computational complexity of the vehicle-mounted equipment to be upgraded can be reduced. Therefore, vehicle-mounted equipment is upgraded securely and efficiently.

Furthermore, when the target vehicle-mounted device performs the upgrade operation, if the target data block verification for the target data block in multiple data blocks fails in the target upgrade target vehicle-mounted device, the vehicle-mounted control device is used as the target upgrade target vehicle-mounted device. Resend the target data block to. In other words, the target upgrade target vehicle-mounted device reacquires the target data block from the vehicle-mounted controller. Joins and upgrades only occur when all data blocks have been validated. In the present embodiment of the present invention, the target upgrade file is divided into a plurality of data blocks, so that when verification for one or more data blocks fails, one or more data blocks instead of the entire target upgrade file. Only need to be downloaded again, which reduces overhead and improves upgrade efficiency.

In the following, credibility verification between the vehicle-mounted controller and the target upgrade target device, that is, how the vehicle-mounted controller uses a preset algorithm to code-convert the target upgrade file of the vehicle-mounted upgrade package. Explain.

In one specific embodiment, after verifying the authenticity of the vehicle-mounted upgrade package, OTA Orchestrator initiates this process in a timely manner, eg, parked, or OTA Orchestrator informs the vehicle owner. You may choose to request to confirm the upgrade again. OTA Orchestrator performs division and code conversion processing on the vehicle-mounted upgrade package, and sequentially transfers the code-converted upgrade subfile to the target vehicle-mounted equipment. The present application provides three independent code conversion methods: a Hash Chain-based solution, a Hash Tree-based solution, and a Bloom Filter-based solution. The upgrade package in-vehicle transmission process based on the three code conversion methods is described below. First, it is assumed that OTA Orchestrator shares the key k with the target vehicle-mounted equipment. The shared k can be static or can be temporarily generated by the OTA Orchestrator and the target vehicle-mounted equipment.

Method 1: Hash Chain based code conversion method

1. 1. OTA Orchestrator has n parts of the upgrade file M: M ₁ , M ₂ , ... .. .. , And M _n .

2. M ₁ , M ₂ , ... .. .. , And M _n are used to form a Hash Chain as follows, and in the equation, H (.) Represents the Cryptographic Hash Function.
h _n = H (M _n )
h _i = H (M _i , h _{i + 1} )
h ₂ = H (M ₂ , h ₃ )

3. 3. OTA Orchestrator uses the shared key k (second key) to calculate v = MAC (k, M ₁ || ver, h ₂ ). In the formula, the MAC is the standard Message Authentication Code, i.e. the first MAC.

Four. Starting from the first portion, OTA Orchestrator is sequentially transfers the M _i to the target upgraded onboard devices. In the first part, OTA Orchestrator is, v, must be transferred M _1, ver, and h _2, at rest, OTA Orchestrator have only to transfer only the M _i and h _{i + 1.}

Five. Sequentially perform the verification for M _i target upgrade target vehicle-mounted device is using the shared key k. If verification for a part fails, the target upgrade target vehicle-mounted device may request a resend. After receiving and verifying all parts, the target vehicle-mounted equipment combines all parts into a complete upgrade file M.

Method 2: Hash Tree-based code conversion method

1. 1. OTA Orchestrator has n parts of the upgrade file M: M ₁ , M ₂ , ... .. .. , And M _n .

2. M ₁ , M ₂ , ... .. .. , And M _n are used to form a binary tree. As shown in the figure, the leaf nodes represent the data, and each intermediate node contains the value of the root node that can be obtained based on the value of the subnode of the intermediate node using hash, for example h ₁ = H ( M ₁ || ver || M ₂ ) and h ₅ = H (h ₁ || h ₂ ).

3. 3. OTA Orchestrator uses the shared key k (second key) to calculate the value of the root node. As shown in the figure, for example, v = MAC (k, h ₅ || h ₆ ), that is, the first MAC.

Four. Starting with M ₁ and M ₂ , OTA Orchestrator transfers the two parts to the target vehicle-mounted equipment each time. In the first two parts, OTA Orchestrator needs to transfer v, M ₁ || ver, M ₂ , h ₂ and h ₆ , and in the rest, OTA Orchestrator has two data and two. Auxiliary validation data corresponding to the data needs to be transferred. In the figure, the auxiliary verification data of M ₁ and M ₂ are h ₂ and h _6, auxiliary verification data of M ₃ and M ₄ are verified for M ₃ and M _4, it is effected using h ₂ Since it can be done, it is blank, the auxiliary validation data for M ₅ and M ₆ is h ₄ , and the auxiliary validation data for M ₇ and M ₈ is blank.

Five. The target vehicle-mounted device uses the shared key k to verify each of the two parts. If the verification of the two parts fails, the target upgrade target vehicle-mounted device may request a resend. After receiving and verifying all parts, the target vehicle-mounted equipment combines all parts into a complete upgrade file M.

Method 3: Bloom Filter-based code conversion method

A Bloom Filter is a storage-efficient data structure used to determine if data is present in a set. An example is as follows.

An array F (Bloom Filter) of length l is set, and the value of each element is initialized to 0. t hash functions, H ₁ , H ₂ , ... .. .. , And H _t are selected. Each hash function is {1, 2, ... From that set. .. .. , L}. Specifically, each element of the set is {1, 2, ... .. .. , L} maps to any value. The method for adding the element e in the set to the Bloom Filter is: the step of calculating _Hi (e) and the step of changing the position indicated by _Hi (e) in F to 1. Based on F, the way to determine if the element e'is in the set is to calculate all the hash values of e', and all the hash values dictated by all the hash values in F. This is the step of determining that an element exists in the set only when the position is 1.

Determining if an element is present in a set using a Bloom Filter has the following characteristics:

If the position indicated by one hash value of an element in F is 0, then that element is not in the set, and if the position indicated by all hash values of the element is 1, then the element is It can be judged that it is in the set, but there is a false positive, and the probability of false positive is
In the formula, n is the number of elements added to the Bloom Filter.

The time to add an element or determine if an element is in a set is constant.

The upgrade package in-vehicle transmission process based on Bloom Filter code conversion is as follows.

1. 1. OTA Orchestrator has n parts of the upgrade file M: M ₁ , M ₂ , ... .. .. , And M _n .

2. OTA Orchestrator sets Bloom Filter F and sets F to M ₁ , M ₂ , ... .. .. , And M _n are added, and the shared key k (second key) is used to calculate v = MAC (k, F), that is, the second MAC.

3. 3. Transfer the F and v to the target upgraded onboard devices, sequentially transfers the M _i.

Four. When the target upgraded onboard device performs verification of F first use the shared key k, if the validation fails, may request to retransmit the F and v, receiving each M _i, M _i there is judged whether it is within F, if M _i is not in F, and requests to retransmit the M _i, finally, all of M ₁ received, M _2,. .. .. , And M _n are combined into the complete upgrade file M.

The three methods described above assume that the confidentiality of the upgrade file does not have to be protected during in-vehicle communication. If the confidentiality of the upgrade file needs to be protected, the OTA Orchestrator must first obtain the ciphertext C _i by encrypting each M _i (using a third key in this application). There, replaced Hash Chain based methods described above, Hash Tree-based methods or the M _i in Bloom Filter based method, in C _i. In other words, as mentioned above, encryption is done using a third key. After receiving the respective partial target upgraded onboard devices encrypts the C _i to obtain the M _i after the authenticity is verified. Note that the key for encryption is preferably different from the key used by the MAC. For example, if the shared k is long enough, k may be split into two different keys, otherwise two keys can be generated based on k using the key derivation function.

The three methods mentioned above for OTA Orchestrator to split and code upgrade files have the following advantages: The target vehicle-mounted device does not have to verify the digital signature and only performs symmetric cryptographic operations, that is, MAC and Hash calculations. In addition, symmetric cryptographic operations are much more efficient than public key cryptographic operations. In addition, the vehicle-mounted equipment to be upgraded can perform segment validation against the validity of each segment, thus detecting invalid or incorrect segments in a timely manner and not resending the entire upgrade file to OTA Orchestrator. You can request a retransmission of that segment. When general code conversion is performed instead of segment code conversion, that is, when MAC is used instead of digital signature, the target vehicle-mounted equipment cannot pinpoint the error position accurately, and OTA Orchestrator Must be requested to resend the entire upgrade file. Therefore, according to the present embodiment of the present invention, not only the error position can be accurately specified, but also the calculation workload and the calculation complexity of the equipment to be upgraded in the vehicle can be reduced. The equipment installed in the target vehicle can be upgraded securely and efficiently.

In the above description, OTA Orchestrator splits the upgrade file. In another embodiment, the split may be done by the upgrade package developer. Specifically, the Hash Chain-based method is taken as an example.

1. 1. The upgrade package developer puts the upgrade file M into n parts: M ₁ , M ₂ , ... .. .. , And M _n .

2. M ₁ , M ₂ , ... .. .. , And M _n are used to form a Hash Chain as follows, and in the equation, H (.) Represents the Cryptographic Hash Function.
h _n = H (M _n )
h _i = H (M _i , h _{i + 1} )
h ₂ = H (M ₂ , h ₃ )

3. 3. Calculate σ = Sign _D (M || ver, h2) using the signature private key. The signature is the second digital signature of the application and the signature private key is the fourth key.

Four. Use [M, ver, σ] as the upgrade package and distribute the upgrade package to the upgrade server. Arbitrarily selected, M ₁ , M ₂ , ... .. .. , And M _n can be further encrypted to ensure the confidentiality of the vehicle-mounted upgrade package. See the related discussion above for encryption of upgrade files and assurance of confidentiality of upgrade files. The details are not repeated here.

When the OTA Orchestrator needs to obtain the upgrade package from the upgrade server, starting from the first portion, the upgrade server sequentially transfers the M _i to the target upgraded onboard devices. In the first part, the upgrade server, sigma, must transfer M _1, ver, and h _2, at rest, the upgrade server only needs to transfer only the M _i and h _{i + 1.}

In the first part M _1, OTA Orchestrator needs to perform verification of the digital signature sigma, at rest, OTA Orchestrator is them _{h i = H (M i,} h i + 1) even performs only validate against Just do it.

After receiving and verifying all parts, OTA Orchestrator performs the code conversion as described above, i.e. using the shared key k (fifth key of the present application) v = MAC (k, M ₁ | | Ver, h ₂ ) is calculated. The MAC is the second MAC. For subsequent upgrade package in-vehicle transmission, the upgrade and verification process is the same as that of Method 1, Method 2, and Method 3. In addition, for the Hash Tree-based code conversion method and the Bloom Filter-based code conversion method, refer to the present embodiment of the present invention and the above-mentioned methods 2 and 3. The details are not repeated here.

In the present embodiment of the present invention, after the credibility verification of the vehicle-mounted upgrade package in the vehicle-mounted control device is completed (optionally, the confidentiality verification may be further performed before the credibility verification), and then the vehicle-mounted control The device needs to transmit multiple upgrade files for which its authenticity verification (optionally, confidentiality verification can be included) to the corresponding upgrade target vehicle-mounted equipment in the vehicle-mounted system. The transmission side and the receiving side of the transmission are changed, that is, the out-of-vehicle transmission of the vehicle-mounted upgrade package becomes the in-vehicle transmission of the vehicle-mounted upgrade package. Therefore, credibility verification or even confidentiality verification needs to be performed again. In addition, according to the present embodiment of the present invention, signature verification that requires a large computational workload and high computational complexity is performed on the vehicle-mounted controller side, with a small computational workload and low computational complexity. The completed MAC verification will still be performed on the vehicle-mounted equipment to be upgraded. This not only guarantees high upgrade efficiency for vulnerable upgrade target vehicle-mounted equipment, but also guarantees in-vehicle and out-of-vehicle security during the vehicle-mounted upgrade process.

Based on the above explanation, it can be understood that this application provides the following important technical points.

The first point is the authenticity of the vehicle-mounted upgrade package. That is, the equipment mounted on the vehicle to be upgraded is inspected for the authenticity of the upgrade package. To ensure the authenticity of the upgrade package, the digital signature of the upgrade package must be provided by the developer or the upgrade server (package server). When the upgrade package reaches OTA Orchestrator, OTA Orchestrator will help the on-board equipment to be upgraded verify the digital signature. The OTA Orchestrator then performs transcoding. The code conversion operation uses symmetric ciphers to provide upgrade package authenticity verification for the vehicle-mounted equipment to be upgraded. It is assumed that the OTA Orchestrator shares the key with each vehicle-mounted device to be upgraded. This key may be pre-distributed by OTA Orchestrator and the specific distribution process is outside the scope of this application. The upgrade package is divided into a plurality of parts by a transcoding operation, and each part is transmitted to the equipment mounted on the vehicle to be upgraded. Specifically, Hash Chain-based code conversion operations, Hash Tree-based code conversion operations, and Bloom Filter-based code conversion operations are provided. The advantages of the code conversion operation for each part and the transmission technology for each part are as follows. The computational power limits of vehicle-mounted equipment and the bandwidth limits of in-vehicle communication networks are fully taken into account. After an upgrade package transmission error occurs, the vehicle-mounted equipment can find the part where the transmission error occurred, so only the error part is required to be retransmitted, not the entire upgrade package.

The second point is the Confidentiality of the vehicle-mounted upgrade package. That is, an attacker could use reverse engineering techniques to analyze the contents of the upgrade package. Therefore, the confidentiality of vehicle-mounted upgrade packages needs to be protected. Protection solutions are provided based on two cases:

a. If the upgrade package is not encrypted by the upgrade server, when the vehicle-mounted Telematics obtains the upgrade package, the upgrade server authenticates to the vehicle-mounted Telematics in order to send the upgrade package over a secure channel. You need to do it and establish a secure channel.

b. If the upgrade package is encrypted on the upgrade server (using a symmetric key), the vehicle-mounted Telematics will need to obtain the encryption key from the key server, with the other steps being the same as in case a.

The final point is the ability-based upgrade policy. That is, different vehicle-mounted devices have different computing power and storage resources. For example, vehicle-mounted Telematics, gateways, and VCUs typically have relatively strong capabilities, while most vehicle-mounted equipment (ECUs) have relatively weak processing power. Therefore, a capability-based upgrade policy is provided. Specifically, the A / B system update upgrade mode should be used for high-capacity equipment or major equipment, but for weak-capacity equipment, OTA is used to perform rollback when the upgrade fails. With the help of Orchestrator, older versions of firmware or software on the vehicle-mounted equipment to be upgraded may be backed up.

The method of the embodiment of the present invention has been described in detail above. The related devices according to the embodiment of the present invention are shown below.

FIG. 6 is a schematic structural diagram of a vehicle-mounted upgrade device according to an embodiment of the present invention. The vehicle-mounted upgrade device is applied to a vehicle-mounted system, and the vehicle-mounted system includes a vehicle-mounted control device and one or more vehicle-mounted devices to be upgraded. The vehicle-mounted upgrade device 10 may be a vehicle-mounted control device in the system described above, and the device 10 may include an upgrade package acquisition unit 101, an upgrade management unit 102, and an upgrade transmission unit 103. These units will be described in detail below.

The upgrade package acquisition unit 101 acquires the vehicle-mounted upgrade package so that the vehicle-mounted upgrade package contains multiple upgrade files and each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded. It is composed.

The upgrade management unit 102 is configured to perform security verification on a plurality of upgrade files.

The upgrade transmission unit 103 uses the target upgrade file to send the target upgrade file to the target vehicle-mounted equipment to be upgraded, and the target upgrade file is an upgrade file whose security verification is successful in the multiple upgrade files. Is configured to be.

In one possible embodiment, the vehicle-mounted upgrade package includes a first digital signature, and the upgrade management department specifically uses the first digital signature to perform digital signature verification on multiple upgrade files. It is composed.

In one possible embodiment, the device 10
An identity and authentication unit configured to send identity and authentication information to the upgrade server,
It also includes a channel establishment unit configured to establish a secure channel between the vehicle-mounted controller and the upgrade server if the identification credentials are authenticated by the upgrade server.
The upgrade package acquisition unit is specifically configured to acquire the vehicle-mounted upgrade package from the upgrade server via a secure channel.

In one possible embodiment, the vehicle-mounted upgrade package is encrypted using a first key, the first key is a symmetric key, and the device is
It also includes a key acquisition unit, which is configured to acquire the first key from the key server.
Device 10
After digital signature verification is performed on multiple upgrade files using the first digital signature, if the digital signature verification is successful for the vehicle-mounted controller, then multiple using the first key Includes a decryption section, configured to decrypt the upgrade file of.

In one possible embodiment, the upgrade transmission unit 103
Divide the target upgrade file into multiple upgrade subfiles, use a preconfigured algorithm to generate multiple interrelated data blocks from multiple upgrade subfiles, and use a second key to create multiple data blocks. It is specifically configured to generate one message authentication code MAC, the second key is the symmetric algorithm key, and sequentially send multiple blocks of data carrying the first MAC to the target vehicle-mounted equipment. File.

In one possible embodiment, the device 10
It also contains an encryption part, which is configured to encrypt each of the multiple upgrade subfiles using a third key.
The upgrade transmission unit 103
Split the target upgrade file into multiple upgrade subfiles and use preconfigured algorithms for vehicle-mounted controllers to correlate multiple upgrade subfiles encrypted with a third key. Generate a data block and use the second key to generate the first message authentication code MAC for multiple data blocks, the second key is the symmetric algorithm key, and the target vehicle-mounted device Send multiple data blocks that carry one MAC in sequence,
Especially configured as.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles, multiple upgrade subfiles are used to generate multiple interrelated data blocks from multiple upgrade subfiles, and multiple upgrade subfiles Carrying the second digital signature of multiple data blocks generated using the fourth key, the fourth key is an asymmetric key,
The upgrade control unit 102 is specifically configured to inspect the second digital signature of multiple data blocks for the vehicle-mounted controller.
The upgrade transmission unit 103 uses the fifth key to generate the second MAC of a plurality of data blocks, and the fifth key is the symmetric algorithm key, and the second MAC is applied to the target vehicle-mounted device. It is specifically configured to sequentially transmit multiple data blocks that carry the algorithm.

In one possible embodiment, the preset algorithm includes any one of the Hash Chain algorithm, the Hash Tree algorithm, and the Bloom Filter algorithm.

In one possible embodiment, the device 10
A retransmission unit configured to retransmit the target data block to the target vehicle-mounted device to be upgraded, and the target data block is a data block whose verification failed in the target upgrade target vehicle-mounted device in multiple data blocks. It also includes a retransmission section.

It should be noted that for the functions of the functional parts of the vehicle-mounted upgrade device 10 described in the present embodiment of the present invention, the related description of the method embodiment shown in FIGS. 1 to 6 is referred to. The details are not repeated here.

FIG. 7 is a schematic structural diagram of a vehicle-mounted device to be upgraded according to an embodiment of the present invention. The upgrade target vehicle-mounted device 20 is applied to a vehicle-mounted system, and the vehicle-mounted system includes a vehicle-mounted control device and one or more upgrade target vehicle-mounted devices. The upgrade target vehicle-mounted device 20 may be the upgrade target vehicle-mounted device in the above-mentioned system, and the device 20 may include a receiving unit 201 and an upgrade unit 202. These units will be described in detail below.

The receiver 201 receives the target upgrade file transmitted by the vehicle-mounted controller, and the target upgrade file upgrades at least the target vehicle-mounted equipment for which the security verification performed by the vehicle-mounted controller has been successful. It is configured to be an upgrade file used for.

Upgrade unit 202 is used to perform a secure upgrade using the target upgrade file.

In one possible embodiment, upgrade unit 202
First upgrade using A / B system update upgrade mode, using the target upgrade file to perform a secure upgrade, and the equipment to be upgraded exceeds its resource storage capacity and / or processing capacity. Eligible vehicle-equipped equipment, or pre-designated first upgrade target vehicle-equipped equipment,
Especially configured as.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles and the receiver 201
Multiple data blocks transmitted by a vehicle-mounted controller that carry the first MAC are sequentially received, and multiple data blocks are generated from multiple upgrade subfiles using a preset algorithm. An interrelated data block, the first MAC is the message authentication code for multiple data blocks generated using the second key, and the second key is the symmetric key.
Specially configured as
Upgrade unit 202
The second key is used to sequentially validate multiple data blocks based on a preset algorithm, and once all of the multiple data blocks have been validated, the multiple sequential validated data blocks are upgraded. Combine with,
Especially configured as.

In one possible embodiment, multiple upgrade subfiles are encrypted using a third key,
Upgrade unit 202
The second key is used to sequentially validate multiple data blocks based on a preset algorithm, and once all of the multiple data blocks are validated, the third key is used to validate the multiple blocks sequentially. Decrypt each of the decrypted data blocks and combine multiple decrypted data blocks for decryption using a third key,
Especially configured as.

In one possible embodiment, the receiver 201
Multiple data blocks transmitted by a vehicle-mounted controller that carry a second MAC are sequentially received, and multiple data blocks are generated from multiple upgrade subfiles using a preset algorithm. Interrelated data blocks, the second MAC is the message authentication code for multiple data blocks generated using the fifth key, and the fifth key is the symmetric algorithm.
Specially configured as
Upgrade unit 202
Sequential validation of multiple data blocks based on a preset algorithm using the fifth key, and once all of the multiple data blocks have been validated, the multiple sequentially validated data blocks for upgrade Combine with,
Especially configured as.

In one possible embodiment, the device 20
It is a retransmission unit configured to reacquire the target data block from the vehicle-mounted control device, and the target data block is a data block whose verification has failed in the target upgrade target vehicle-mounted device in a plurality of data blocks. , Further includes a retransmission section.

It should be noted that for the functions of the functional parts of the vehicle-mounted device 20 to be upgraded described in the present embodiment of the present invention, the related description of the method embodiment shown in FIGS. 1 to 6 is referred to. The details are not repeated here.

FIG. 8 is a schematic structural diagram of an apparatus according to an embodiment of the present invention. In the structure of FIG. 8, both the upgrade target vehicle mounting device 10 and the upgrade target vehicle mounting device 20 can be implemented. The device 30 includes at least one processor 301, at least one memory 302, and at least one communication interface 303. In addition, the device may further include general purpose components such as antennas, which are not described in detail here.

Processor 301 is a general-purpose central processing unit (CPU), microprocessor, application specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of programs in the above-mentioned solutions. Can be.

The communication interface 303 is configured to communicate with another device, such as an upgrade server, key server, or in-vehicle device, or with a communication network.

Memory 302 is a read-only memory (ROM) that can store static information and instructions, or any type of static storage device, or a random access memory that can store information and instructions. Random access memory (RAM) or any type of dynamic storage device, or electrically erasable programmable read-only memory (EEPROM), compact disk read-only memory (Compact) Disc Read-Only Memory, CD-ROM) or other optical storage, optical discs (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disc storage media or other magnetic storage devices, or It may be, but is not limited to, any other medium that can be used to carry or store the expected program code in the form of instructions or data structures and is accessible by a computer. The memory may exist independently and is connected to the processor using a bus. Alternatively, the memory may be integrated with the processor.

The memory 302 is configured to store the application program code for executing the above-mentioned solution, and the processor 301 controls the execution. Processor 301 is configured to execute application program code stored in memory 302.

When the device shown in FIG. 8 is the vehicle-mounted equipment upgrade device 10, the code stored in the memory 302 is the step of obtaining the vehicle-mounted equipment upgrade method shown in FIG. 2, for example, the vehicle-mounted upgrade package. , The vehicle-mounted upgrade package contains multiple upgrade files, and each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded, such as steps and security verification steps for multiple upgrade files. The target upgrade file is a step that sends the target upgrade file to the target vehicle-mounted equipment that should be upgraded using the target upgrade file, and the target upgrade file is an upgrade whose security verification is successful in multiple upgrade files. Can be used to perform steps, which are files.

It should be noted that for the function of each functional part of the vehicle-mounted equipment upgrade device 10 described in the present embodiment of the present invention, the related description of step S502 and step S503 of the method embodiment shown in FIG. 5 is referred to. .. The details are not repeated here.

When the device shown in FIG. 8 is the vehicle-mounted device 20 to be upgraded, the code stored in the memory 302 is the target upgrade file transmitted by the vehicle-mounted device upgrade method shown in FIG. 9, for example, the vehicle-mounted controller. The target upgrade file is an upgrade file that has been successfully validated by the vehicle-mounted controller and is at least used to upgrade the target vehicle-mounted equipment. Can be used to perform a secure upgrade step, using a target upgrade file.

It should be noted that for the function of each functional unit of the vehicle-mounted device 20 to be upgraded described in the present embodiment of the present invention, the related description of step S504 and step S505 of the method embodiment shown in FIG. 5 is referred to. .. The details are not repeated here.

FIG. 9 is a schematic structural diagram of an intelligent vehicle according to an embodiment of the present invention. The intelligent vehicle 40 includes a vehicle-mounted controller 401 and at least one upgradeable vehicle-mounted device 402.

Vehicle-mounted device 401 should obtain a vehicle-mounted upgrade package, perform security verification on multiple upgrade files in the vehicle-mounted upgrade package, and upgrade using the target upgrade file. Send the target upgrade file to the equipment, each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded, and the target upgrade file is the upgrade file whose validation was successful in multiple upgrade files. It is configured as follows.

The upgrade target vehicle-mounted device 402 receives the target upgrade file transmitted by the vehicle-mounted controller, performs a secure upgrade using the target upgrade file, and the upgrade target vehicle-mounted device is the target upgrade target vehicle-mounted device. , Which is configured as

In one possible embodiment, the vehicle-mounted controller 401 is specifically configured to perform digital signature verification on a plurality of upgrade files using a first digital signature.

In one possible embodiment, the vehicle-mounted controller 401 is
If the identification credentials are sent to the upgrade server and the identification credentials are authenticated by the upgrade server, a secure channel is established between the vehicle-mounted controller and the upgrade server, and the upgrade server sends the vehicle through the secure channel. Get the on-board upgrade package,
As specifically configured or the vehicle-mounted upgrade package is encrypted using a first key, the first key is a symmetric key, and the vehicle-mounted controller 401 is
Multiple upgrade files using the first key after successfully obtaining the first key from the key server and performing digital signature verification on multiple upgrade files using the first digital signature To decipher
Especially configured as.

In one possible embodiment, the vehicle-mounted controller 401 is
Split the target upgrade file into multiple upgrade subfiles, use a preconfigured algorithm to generate multiple interrelated data blocks, and use a second key to use the second key to generate the first message authentication code MAC for multiple data blocks. Is generated, and multiple data blocks carrying the first MAC are sequentially transmitted to the target vehicle-mounted device, and the second key is the symmetric algorithm key.
Specially configured as
Vehicle-mounted equipment 402 to be upgraded
Multiple data blocks transmitted by the vehicle-mounted controller that carry the first MAC are sequentially received, and the second key is used to sequentially verify the multiple data blocks based on the preset algorithm. Once all of the multiple data blocks have been validated, combine those multiple sequential validated data blocks for upgrade.
Especially configured as.

In one possible embodiment, the vehicle-mounted controller 401 is
Multiple upgrade subfiles are encrypted using a third key, and multiple interrelated data from multiple upgrade subfiles encrypted using a third key using a preconfigured algorithm. Generate blocks,
Specially configured as
Vehicle-mounted equipment 402 to be upgraded
Once all of the data blocks have been validated, the third key is used to decrypt each of those sequential validated data blocks, and the third key is used to decrypt the decrypted data blocks. Combine for upgrade,
Especially configured as.

In one possible embodiment, the target upgrade file contains multiple upgrade subfiles, multiple upgrade subfiles are used to generate multiple interrelated data blocks from multiple upgrade subfiles, and multiple upgrade subfiles Carrying the second digital signature of multiple data blocks generated using the fourth key, the fourth key is an asymmetric key,
The vehicle-mounted control device 401 is
Inspects the second digital signature of multiple data blocks, uses the fifth key to generate a second MAC for multiple data blocks, and transports the second MAC to the target vehicle-mounted equipment. Sending multiple data blocks in sequence, the fifth key is the symmetric algorithm key,
Specially configured as
Vehicle-mounted equipment 402 to be upgraded
Multiple data blocks transmitted by the vehicle-mounted controller that carry the second MAC are sequentially received, and the fifth key is used to sequentially verify the multiple data blocks based on the preset algorithm. Once all of the multiple data blocks have been validated, combine those multiple sequential validated data blocks for upgrade.
Especially configured as.

Regarding the vehicle-mounted control device 401 and the upgrade target vehicle-mounted device 402 of the intelligent vehicle 40 described in the present embodiment of the present invention, the relationship between the vehicle-mounted control device and the upgrade target vehicle-mounted device in the method embodiment shown in FIG. Please note that the description is referenced. The details are not repeated here.

Intelligent Vehicle 40 uses computers, state-of-the-art sensing methods, information convergence, communication, artificial intelligence, automatic control, and other technologies to intelligent driving systems, life service systems, security protection systems, positioning service systems, car services. You can see that it can be further integrated with features such as systems. This is not particularly limited in this application and will not be described in detail here.

One embodiment of the present invention further provides a computer storage medium. The computer storage medium stores the program and when executed, the program performs some or all of the steps described in any one of the aforementioned method embodiments.

One embodiment of the present invention further provides a computer program. The computer program contains instructions, and when the computer program is executed by the computer, the computer will be able to perform some or all of the steps of any one of the vehicle-mounted equipment upgrade methods.

In each of the above-described embodiments, the description of each embodiment has its own viewpoint. For parts not described in detail in one embodiment, refer to the related description of other embodiments.

Note that for the sake of brevity, the method embodiments described above are represented as a series of operations. However, one of ordinary skill in the art should understand that according to the present application, the application is not limited to the order of operation described, as some steps may be performed in other order or at the same time. It should be further understood by those skilled in the art that all embodiments described herein are examples of embodiments and that related actions and modules are not always required in this application.

It should be understood that in some embodiments provided in this application, the disclosed device may be implemented in other ways as well. For example, the device embodiment described is only an example. For example, the unit division is only a logical functional division, and may be another division in the actual implementation. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not implemented. In addition, the interconnected or direct coupled or communication connections shown or described may be realized via several interfaces. Indirect coupling or communication connections between devices or units can be realized in electrical or other forms.

The aforementioned units described as separate parts may or may not be physically separated, and the parts shown as units may or may not be physical units and are located in one place. In some cases, it may be distributed over multiple network units. Part or all of the units may be selected based on the actual requirements to achieve the objectives of the solution of each embodiment.

In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each of the units may be physically independent, or two or more units may be one. Integrated into one unit. The integrated unit may be realized in the form of hardware or in the form of a software function unit.

When the above-mentioned integrated unit is realized in the form of a software functional unit and sold or used as an independent product, the integrated unit may be stored in a computer-readable storage medium. Based on such understanding, the technical solutions of the present application may be realized in the form of software products, in essence, or in part that contributes to the prior art, or in whole or in part. The computer software product is stored on a storage medium to instruct a computer device (which may be a personal computer, server, network device, etc.) to perform all or part of the steps of the method described in embodiments of this application. Includes several instructions. The above-mentioned storage medium stores program code such as a USB flash drive, a removable hard disk, a magnetic disk, an optical disk, a read-only memory (abbreviated as ROM), and a random access memory (abbreviated as RAM). Includes any medium that can be.

The aforementioned embodiments are not intended to limit the application, but merely to explain the technical solutions of the application. Although the present application has been described in detail in connection with the aforementioned embodiments, the technical aspects described in the aforementioned embodiments without departing from the spirit and scope of the technical solutions of the embodiments of the present application. Those skilled in the art will appreciate that the solution may be further modified or equivalent substitutions may be made to some of the technical features of the aforementioned embodiments.

10 Vehicle-mounted upgrade device
101 Upgrade Package Acquisition Department
102 Upgrade Management Department
103 Upgrade transmission
20 Vehicle-mounted equipment to be upgraded
201 Receiver
202 Upgrade Department
30 equipment
301 processor
302 memory
303 communication interface
40 Intelligent vehicle
401 Vehicle-mounted controller
402 Vehicle-mounted equipment to be upgraded

However, during the remote upgrade of the vehicle-mounted equipment to be upgraded, some of the vehicle-mounted equipment to be updated have problems such as the limit of computing power and the limit of storage space, so the vehicle-mounted equipment to be updated Upgrades are relatively inefficient and can even affect the upgrade of the entire vehicle-mounted system. Therefore, how to ensure a secure and efficient firmware / software upgrade for vehicle-mounted equipment is an urgent issue to be resolved.

According to the first aspect, one embodiment of the present invention provides a vehicle-mounted device upgrade method, the vehicle-mounted device upgrade method.
The vehicle-mounted controller is the step to obtain the vehicle-mounted upgrade package, where the vehicle-mounted upgrade package contains multiple upgrade files, and each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded. , Steps, and the step that the vehicle-mounted controller performs security verification for multiple upgrade files, and the target upgrade of the vehicle-mounted controller to the target vehicle-mounted equipment that should be upgraded using the target upgrade file. Includes a step of submitting a file, where the target upgrade file is an upgrade file that has been successfully validated for security within multiple upgrade files. According to the present embodiment of the present invention, the vehicle-mounted control device side performs security verification processing on the vehicle-mounted upgrade package required for upgrading the vehicle-mounted equipment, and is subject to update having different upgrade capabilities. Prevents the vehicle-mounted equipment from being involved in the security verification process, thereby ensuring that the vehicle-mounted equipment is upgraded securely and efficiently using the vehicle-mounted upgrade package.

According to a third aspect, one embodiment of the present invention provides a vehicle-mounted device upgrade method, wherein the vehicle-mounted device upgrade method is:
Target Upgrade The target vehicle-mounted device is the step of receiving the target upgrade file sent by the vehicle-mounted controller, and the target upgrade file has been successfully verified for security by the vehicle-mounted controller, at least the target upgrade. It may include steps, which are upgrade files used to upgrade the target vehicle-mounted equipment, and steps in which the target vehicle-mounted equipment performs a secure upgrade using the target upgrade file. In the present embodiment of the present invention, the target upgrade target vehicle-mounted device receives the upgrade file whose security verification process has already been performed on the vehicle-mounted control device side, and is mounted on the vehicle that is the target of the update having different upgrade capabilities. Equipment upgrades are performed using upgrade files to prevent equipment from being involved in the security verification process, which allows the equipment to be upgraded to be upgraded securely and efficiently using the vehicle-mounted upgrade package. Is guaranteed to be.

According to a fifth aspect, the present application provides a vehicle-mounted device to be upgraded. The device has a function of implementing any one of the vehicle-mounted equipment upgrade method embodiments described above. This function may be performed by using the hardware or by running the corresponding software on the hardware. Hardware or software contains one or more modules that correspond to a function.

(5) . The Controller Area Network (CAN) bus is the most widely applied fieldbus in the world. The reliability and powerful error detection capability of the CAN bus has received a lot of attention, so the CAN bus is widely applied to vehicle computer control systems as well as industrial environments with hash ambient temperatures, strong electromagnetic radiation, and violent vibrations. Has been done. The CAN bus is a widely applied fieldbus and has great application prospects in fields such as industrial measurement and control and industrial automation. CAN is a serial communication bus network. The CAN bus has the advantages of reliability, real-time, and flexibility in data communication. For transparent design and flexible execution, the structure of the CAN bus is in the physical layer and data link layer (including the logical link control LLC sublayer and the medium access control MAC sublayer) according to the ISO / OSI standard model. It is divided.

(6) . A message authentication code (MAC) is an encoding function for a signal source. The MAC is similar to the digest algorithm, but the key must be used during the calculation, so the MAC depends on both the key used and the information on which the MAC needs to be calculated. In practice, the MAC is usually obtained by construction based on the digest algorithm.

(7) . A key derivation function (KDF) is a key derivation function used during encryption and decryption. The function of the key derivation function is to derive the key data from the shared secret bit serial port. During key negotiation, the key derivation function acts on the secret bitstring obtained in the key exchange to generate the required session key or key data required for further encryption.

(8) . Public-key cryptography (asymmetric cryptography): Public-key cryptography is also called asymmetric cryptography. The asymmetric key algorithm means that the encryption key of the encryption algorithm is different from the decryption key of the encryption algorithm, or one key of the encryption algorithm cannot be estimated using the other key. A user with public key cryptography has an encryption key and a decryption key, and cannot obtain the decryption key using the encryption key. In addition, the encryption key is public. Based on this principle, public key cryptography is designed to use support information (trapdoor information) as a private key. The security of this type of cipher depends on the computational complexity of the problems underlying this type of cipher. Currently, common public key cryptography includes RSA public key cryptography, ElGamal public key cryptography, and elliptic curve cryptography.

(9) . Symmetrical encryption: Symmetrical key encryption is also called dedicated key encryption. Specifically, the data transmitting side and the data receiving side always use the same key to perform the encryption operation and the decryption operation on the plaintext. That is, the encryption key can be inferred from the decryption key and vice versa. In most symmetric algorithms, the encryption key is the same as the decryption key. These algorithms, also called private key algorithms or single key algorithms, require the sender and receiver to consent to the key prior to secure communication. The security of the symmetric algorithm depends on the key, and a key leak means that anyone can encrypt and decrypt the message. The key needs to be kept confidential if the communication requires confidentiality.

(10) . The Transport Layer Security (TLS) protocol is used to provide confidentiality and data integrity between two application programs. The protocol includes two layers, the TLS Record protocol and the TLS Handshake protocol. The Transport Layer Security (TLS) protocol is used to provide confidentiality and data integrity between two communication application programs.

Solution 1: Use the Joint Test Action Group (JTAG) interface or the Background Debug Mode (BDM) interface to write online or after the vehicle-mounted equipment has been disassembled. Do. Specifically, method 1 and method 2 may be included.

In addition to Solution 1 and Solution 2 above, remote upgrades are currently being implemented on some vehicles. However, remote upgrades are generally performed primarily on vehicle-mounted equipment with relatively high computational power and relatively large storage space. In other words, it is currently not possible to provide a secure and efficient firmware / software upgrade method for vehicle-mounted equipment with relatively weak computing power or relatively small storage space. Therefore, how to perform secure and efficient firmware / software upgrades for vehicle-mounted equipment that is subject to updates with various upgrade capabilities within the vehicle-mounted system is actually resolved in this application. It is a technical issue that needs to be done.

In order to facilitate the understanding of the embodiments of the present invention, the vehicle-mounted upgrade system architecture applied to the embodiments of the present invention will first be described below based on the above description. FIG. 1 is a diagram of a vehicle-mounted system upgrade architecture (abbreviated as architecture 1) according to an embodiment of the present invention. The vehicle-mounted equipment upgrade method provided in this application may be applied to this system architecture. The system architecture includes an upgrade server, a vehicle-mounted controller, and vehicle-mounted equipment that is subject to multiple updates, such as HMI (human-machine interface), BMS (battery management system), ECU1, and ECU2. The vehicle-mounted controller may include a Telematics unit and an OTA Orchestrator unit that are configured to manage and assist the upgrade process of the vehicle-mounted equipment that is subject to multiple updates . In this system architecture, remote upgrade of vehicle-mounted equipment may include the basic processes of releasing an upgrade package, obtaining an upgrade package, transmitting the upgrade package in-vehicle, and upgrading and verifying.

The OTA Orchestrator in the vehicle-mounted controller is responsible for communicating with the vehicle-mounted equipment that is subject to in-vehicle updates . In this application, the vehicle-mounted upgrade package passes through Telematics and management units / modules and finally reaches the target vehicle-mounted equipment for upgrade. The main function of OTA Orchestrator is to manage and assist the upgrade process of vehicle-mounted equipment. Specifically, the OTA Orchestrator must have the following features: Key distribution and management, OTA process management, and support for other low-capacity vehicle-mounted equipment for operations that require heavy computational workloads: A backup node for another vehicle-mounted device to be upgraded that is less capable for verifying the integrity and authenticity of the upgrade package, for example, for transcoding, and rollback in the event of an upgrade failure. To play the role of. OTA Orchestrator is a logical entity that can be physically placed on any powerful unit or module such as Telematics, Gateway, or VCU. The structure of the OTA Orchestrator can be shown in Figure 2. FIG. 2 is a schematic structural diagram of an OTA Orchestrator according to an embodiment of the present invention. The OTA Orchestrator includes a processor CPU, associated volatile memory RAM, associated non-volatile memory ROM, and a secure storage device configured to store keys, such as static keys shared with vehicle-mounted equipment. obtain. The OTA Orchestrator also includes memory configured to store the OTA management program, which is used to manage the upgrade process and is mounted on another vehicle via CAN bus or another in-vehicle network. It also includes a network interface that can communicate with the device. When OTA Orchestrator is implemented on Telematics, it can be seen that OTA Orchestrator needs more network interfaces to communicate with external networks. That is, the OTA Orchestrator must have relatively powerful computing power and relatively large resources to help the vehicle-mounted equipment complete the remote upgrade and be trusted by another vehicle-mounted equipment. is there. Regarding the logical architecture division, OTA Orchestrator divides the architecture into an out-of-vehicle communication part and an in-vehicle communication part. The equipment inside the vehicle only needs to perform a symmetric cryptographic operation instead of a public key cryptographic operation. If the public key encryption operation needs to be performed, the public key cryptographic operation, in order to reduce the complexity of the computational workload and calculation of upgrading equipment in the vehicle, are assigned to OTA Orchestrator.

For the vehicle-mounted equipment to be updated, the configuration of any one of the vehicle-mounted equipment to be updated may be shown in FIG. FIG. 3 is a schematic structural diagram of a vehicle-mounted device to be upgraded according to an embodiment of the present invention. Vehicle-mounted equipment to be upgraded may include a microcontroller (Micro controller), a CAN controller (CAN controller), and a transceiver (Transceiver). Vehicle-mounted equipment to be upgraded uses the transceiver Transceiver to communicate with the in-vehicle network such as CAN bus. The CAN controller is configured to perform the CAN protocol and the microcontroller is configured to perform the relevant computational processing before and after the upgrade. For example, the microcontroller may implement the vehicle-mounted equipment upgrade method performed by the vehicle-mounted equipment to be upgraded in this application. With reference to the schematic structure above, in this application, the target upgrade target vehicle-mounted equipment was transmitted by the vehicle-mounted controller based on an in-vehicle network such as CAN bus using a transmitter / receiver (Transceiver). Receive the target upgrade file and use the target upgrade file and the Micro Controller to perform a secure upgrade. For more specific functions, refer to the description of the functions related to the equipment mounted on the vehicle to be upgraded in the subsequent embodiments.

For other aspects, such as the specific functionality of the vehicle-mounted controller and the vehicle-mounted equipment that is subject to multiple updates , see the description of functional entities or units in the vehicle-mounted system upgrade architecture corresponding to Figure 1. Can be understood. The details are not repeated here.

It should be noted that the vehicle-mounted system upgrade architecture of FIGS . 1 and 4 is only two examples of embodiments of the embodiments of the present invention. The communication system architecture of the embodiment of the present invention includes, but is not limited to, the system architecture described above.

In step S503, the vehicle-mounted equipment subject to different updates may only support some upgrade files in the vehicle-mounted upgrade package. Therefore, the vehicle-mounted controller needs to send the successfully verified target upgrade file in the multiple upgrade files to the target upgrade target vehicle-mounted device to be upgraded using the target upgrade file. It can be seen that the size and content of the upgrade subfiles in the target upgrade file can vary.

In step S504, the target upgrade target vehicle-mounted device receives the target upgrade file transmitted by the vehicle-mounted controller. The target upgrade file is an upgrade file used for at least the target vehicle-mounted equipment for which the security verification performed by the vehicle-mounted controller has been successful. Specifically, this process is the process of secure transmission of the vehicle-mounted upgrade package within the vehicle.

The three methods described above assume that the confidentiality of the upgrade file does not have to be protected during in-vehicle communication. If the confidentiality of the upgrade file needs to be protected, the OTA Orchestrator must first obtain the ciphertext C _i by encrypting each M _i (using a third key in this application). There, replaced Hash Chain based methods described above, Hash Tree-based methods or the M _i in Bloom Filter based method, in C _i. In other words, as mentioned above, encryption is done using a third key. After receiving the respective partial target upgraded onboard devices encrypts the C _i to obtain the M _i after the authenticity is verified. Note that the key for encryption is preferably different from the key used in MAC processing . For example, if the shared k is long enough, k may be split into two different keys, otherwise two keys can be generated based on k using the key derivation function.

FIG. 6 is a schematic structural diagram of a vehicle-mounted upgrade device according to an embodiment of the present invention. The vehicle-mounted upgrade device is applied to a vehicle-mounted system, which includes a vehicle-mounted control device and one or more vehicle-mounted devices that are subject to update . The vehicle-mounted upgrade device 10 may be a vehicle-mounted control device in the system described above, and the device 10 may include an upgrade package acquisition unit 101, an upgrade management unit 102, and an upgrade transmission unit 103. These units will be described in detail below.

It should be noted that for the functions of the functional parts of the vehicle-mounted upgrade device 10 described in the present embodiment of the present invention, the related description of the method embodiment shown in FIGS . 1 to 5 is referred to. The details are not repeated here.

FIG. 7 is a schematic structural diagram of a vehicle-mounted device to be upgraded according to an embodiment of the present invention. The vehicle-mounted device 20 to be upgraded is applied to a vehicle-mounted system, and the vehicle-mounted system includes a vehicle-mounted control device and one or more vehicle-mounted devices to be updated . The upgrade target vehicle-mounted device 20 may be the upgrade target vehicle-mounted device in the above-mentioned system, and the device 20 may include a receiving unit 201 and an upgrade unit 202. These units will be described in detail below.

When the device shown in FIG. 8 is the vehicle-mounted equipment upgrade device 10, the code stored in the memory 302 is a step to obtain the vehicle-mounted equipment upgrade method shown in FIG. 5 , for example, the vehicle-mounted upgrade package. , The vehicle-mounted upgrade package contains multiple upgrade files, and each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded, such as steps and security verification steps for multiple upgrade files. The target upgrade file is a step that sends the target upgrade file to the target vehicle-mounted equipment that should be upgraded using the target upgrade file, and the target upgrade file is an upgrade whose security verification is successful in multiple upgrade files. Can be used to perform steps, which are files.

When the device shown in FIG. 8 is the vehicle-mounted device 20 to be upgraded, the code stored in the memory 302 is the target upgrade file transmitted by the vehicle-mounted device upgrade method shown in FIG. 5 , for example, the vehicle-mounted controller. The target upgrade file is an upgrade file that has been successfully validated by the vehicle-mounted controller and is at least used to upgrade the target vehicle-mounted equipment. Can be used to perform a secure upgrade step, using a target upgrade file.

The aforementioned embodiments are not intended to limit the application, but merely to explain the technical solutions of the application. Although the present application has been described in detail in connection with the aforementioned embodiments, the technical solutions described in the aforementioned embodiments without departing from the scope of the technical solutions of the embodiments of the present application. Those skilled in the art will appreciate that further modifications can be made to the above or equivalent substitutions for some of the technical features of the aforementioned embodiments.

Claims (22)

A vehicle-mounted equipment upgrade method applied to a vehicle-mounted system, wherein the vehicle-mounted system includes a vehicle-mounted control device and one or more vehicle-mounted equipment to be upgraded.
The vehicle-mounted controller is a step in obtaining a vehicle-mounted upgrade package, wherein the vehicle-mounted upgrade package contains a plurality of upgrade files, and each upgrade file is used to upgrade at least one vehicle-mounted equipment to be upgraded. To be done, steps and
A step in which the vehicle-mounted control device performs security verification on the plurality of upgrade files,
The vehicle-mounted control unit is a step of transmitting the target upgrade file to the target vehicle-mounted device to be upgraded by using the target upgrade file, and the target upgrade file is included in the plurality of upgrade files. How to upgrade vehicle-mounted equipment, including steps and upgrade files that have been successfully verified for security. The step in which the vehicle-mounted upgrade package contains a first digital signature and the vehicle-mounted controller performs security verification on the plurality of upgrade files.
The method of claim 1, wherein the vehicle-mounted control device comprises the step of performing a digital signature verification on the plurality of upgrade files using the first digital signature. The above method
The step that the vehicle-mounted control device transmits the identification authentication information to the upgrade server,
If the identification credentials are authenticated by the upgrade server, it further includes the step of establishing a secure channel between the vehicle-mounted controller and the upgrade server.
The step by which the vehicle-mounted controller acquires the vehicle-mounted upgrade package is
2. The method of claim 2, wherein the vehicle-mounted control unit includes a step of acquiring the vehicle-mounted upgrade package from the upgrade server via the secure channel. The vehicle-mounted upgrade package is encrypted using a first key, the first key is a symmetric key, and the method is such that the vehicle-mounted controller obtains the first key from a key server. Including further steps to
After the step in which the vehicle-mounted controller performs digital signature verification on the plurality of upgrade files using the first digital signature, the method:
The method of claim 2, wherein the vehicle-mounted control device comprises the step of decrypting the plurality of upgrade files using the first key if the digital signature verification is successful. The step of transmitting the target upgrade file to the target vehicle-mounted device to which the vehicle-mounted controller should be upgraded using the target upgrade file.
A step in which the vehicle-mounted controller divides the target upgrade file into a plurality of upgrade subfiles.
The vehicle-mounted controller uses a preset algorithm to generate a plurality of interrelated data blocks from the plurality of upgrade subfiles, and uses a second key to authenticate the first message of the plurality of data blocks. A step in which the code MAC is generated, wherein the second key is a symmetric algorithm key.
The invention according to any one of claims 1 to 4, wherein the vehicle-mounted control device sequentially transmits the plurality of data blocks carrying the first MAC to the target vehicle-mounted device. the method of. The above method
The vehicle-mounted controller further includes a step of encrypting each of the plurality of upgrade subfiles using a third key.
The step in which the vehicle-mounted controller generates a plurality of interrelated data blocks from the plurality of upgrade subfiles using a preset algorithm.
The vehicle-mounted controller includes a step of generating the plurality of interrelated data blocks from the plurality of upgrade subfiles encrypted using the third key using the preset algorithm. The method according to claim 5. The target upgrade file contains a plurality of upgrade subfiles, and a plurality of interrelated data blocks are generated from the plurality of upgrade subfiles using a preset algorithm, and the plurality of upgrade subfiles hold a fourth key. Carrying a second digital signature of the plurality of data blocks generated using the fourth key is an asymmetric key.
The step in which the vehicle-mounted control device performs security verification on the plurality of upgrade files is
The vehicle-mounted controller includes a step of inspecting the second digital signature of the plurality of data blocks.
The step of transmitting the target upgrade file to the target vehicle-mounted device to which the vehicle-mounted controller should be upgraded using the target upgrade file.
A step in which the vehicle-mounted control device uses a fifth key to generate a second MAC of the plurality of data blocks, wherein the fifth key is a symmetric algorithm key.
The method according to claim 1, wherein the vehicle-mounted control device sequentially transmits the plurality of data blocks carrying the second MAC to the target vehicle-mounted device. The method according to any one of claims 5 to 7, wherein the preset algorithm includes any one of a Hash Chain algorithm, a Hash Tree algorithm, and a Bloom Filter algorithm. The above method
The vehicle-mounted control device is a step of retransmitting the target data block to the target upgrade target vehicle-mounted device, and the target data block is verified by the target upgrade target vehicle-mounted device in the plurality of data blocks. The method of any one of claims 5-8, further comprising a step, which is a failed data block. An intelligent vehicle, wherein the intelligent vehicle includes a vehicle-mounted controller and at least one upgradeable vehicle-mounted device.
The vehicle-mounted equipment should obtain a vehicle-mounted upgrade package, perform security verification on multiple upgrade files in the vehicle-mounted upgrade package, and upgrade using the target upgrade file. The target upgrade file is sent to the onboard equipment, each upgrade file is used to upgrade at least one upgrade target vehicle onboard equipment, and the target upgrade file is an upgrade whose verification is successful in the multiple upgrade files. Is a file, configured to
The upgrade target vehicle-mounted device receives the target upgrade file transmitted by the vehicle-mounted control device, performs a secure upgrade using the target upgrade file, and the upgrade target vehicle-mounted device is the target upgrade target. It is configured to be a vehicle-mounted device,
Intelligent vehicle. The vehicle-mounted control device
The intelligent vehicle according to claim 10, which is specifically configured to perform digital signature verification on the plurality of upgrade files using the first digital signature. The vehicle-mounted control device
When the identification authentication information is transmitted to the upgrade server and the identification authentication information is authenticated by the upgrade server, a secure channel is established between the vehicle-mounted control device and the upgrade server, and the secure channel is established. Obtain the vehicle-mounted upgrade package from the upgrade server via
The vehicle-mounted upgrade package is specifically configured such as, or the vehicle-mounted upgrade package is encrypted using a first key, the first key being a symmetric key, and the vehicle-mounted controller.
After the first key is obtained from the key server and the digital signature verification performed on the plurality of upgrade files using the first digital signature is successful, the first key is used. Decrypt the multiple upgrade files,
The intelligent vehicle according to claim 11, which is specifically configured as such. The vehicle-mounted control device
The target upgrade file is split into multiple upgrade subfiles, a preset algorithm is used to generate multiple interrelated data blocks, and a second key is used to authenticate the first message of the multiple data blocks. A code MAC is generated, the plurality of data blocks carrying the first MAC are sequentially transmitted to the target vehicle-mounted device, and the second key is a symmetric algorithm key.
Specially configured as
The equipment mounted on the vehicle to be upgraded
The plurality of data blocks transmitted by the vehicle-mounted control device that carries the first MAC are sequentially received, and the plurality of data are sequentially received using the second key based on the preset algorithm. The blocks are validated sequentially, and once all of the plurality of data blocks have been validated, the plurality of sequentially validated data blocks are combined for upgrade.
The intelligent vehicle according to any one of claims 10 to 12, which is specifically configured as such. The vehicle-mounted control device
Each of the plurality of upgrade subfiles is encrypted using the third key, and from the plurality of upgrade subfiles encrypted using the third key using the preset algorithm. Generate the plurality of interrelated data blocks,
Specially configured as
The equipment mounted on the vehicle to be upgraded
When all of the plurality of data blocks are verified, each of the plurality of sequentially verified data blocks is decrypted using the third key, and the decrypted data blocks are decrypted using the third key. Combine multiple data blocks for upgrade,
The intelligent vehicle according to claim 13, which is specifically configured as such. The target upgrade file contains a plurality of upgrade subfiles, and a plurality of interrelated data blocks are generated from the plurality of upgrade subfiles using a preset algorithm, and the plurality of upgrade subfiles hold a fourth key. Carrying a second digital signature of the plurality of data blocks generated using the fourth key is an asymmetric key.
The vehicle-mounted control device
The second digital signature of the plurality of data blocks is inspected, a fifth key is used to generate a second MAC of the plurality of data blocks, and the second MAC of the target upgrade target vehicle is subjected to the second. The plurality of data blocks carrying the MAC of the above are sequentially transmitted, and the fifth key is a symmetric algorithm key.
Specially configured as
The equipment mounted on the vehicle to be upgraded
The plurality of data blocks transmitted by the vehicle-mounted control device that carries the second MAC are sequentially received, and the plurality of data are sequentially received using the fifth key based on the preset algorithm. The blocks are validated sequentially, and once all of the plurality of data blocks have been validated, the plurality of sequentially validated data blocks are combined for upgrade.
The intelligent vehicle according to claim 10, which is specifically configured as such. A vehicle-mounted equipment upgrade device applied to a vehicle-mounted system, wherein the vehicle-mounted system includes a vehicle-mounted control device and one or more vehicle-mounted equipment to be upgraded.
An upgrade package acquisition unit configured to acquire a vehicle-mounted upgrade package from an upgrade server, the vehicle-mounted upgrade package containing multiple upgrade files, and each upgrade file upgrades at least one vehicle-mounted device to be upgraded. The upgrade package acquisition department used to
The upgrade management unit, which is configured to perform security verification on the multiple upgrade files,
An upgrade transmission that is configured to send the target upgrade file to the target vehicle-mounted equipment that should be upgraded using the target upgrade file, and the target upgrade file is contained in the plurality of upgrade files. A vehicle-mounted equipment upgrade device that includes an upgrade transmission and an upgrade file whose security verification has been successful. The vehicle-mounted upgrade package includes a first digital signature, and the upgrade management unit is specifically configured to perform digital signature verification on the plurality of upgrade files using the first digital signature. The device according to claim 16. The device
An identification authentication unit configured to send identification authentication information to the upgrade server,
Further including a channel establishment unit configured to establish a secure channel between the vehicle-mounted controller and the upgrade server when the identification credentials are authenticated by the upgrade server.
17. The apparatus of claim 17, wherein the upgrade package acquisition unit is specifically configured to acquire the vehicle-mounted upgrade package from the upgrade server via the secure channel. The vehicle-mounted upgrade package is encrypted using a first key, the first key is a symmetric key, and the device.
It further includes a key acquisition unit configured to acquire the first key from the key server.
The device
After the digital signature verification is performed on the plurality of upgrade files using the first digital signature, if the digital signature verification is successful for the vehicle-mounted control device, the first key. 17. The apparatus of claim 17, further comprising a decoding unit, configured to decode the plurality of upgrade files using the device. The upgrade transmission unit
The target upgrade file is split into a plurality of upgrade subfiles, a preset algorithm is used to generate multiple interrelated data blocks from the plurality of upgrade subfiles, and the second key is used to generate the plurality of data. The first message authentication code MAC of the block is generated, the second key is the symmetric algorithm key, and the plurality of data blocks carrying the first MAC are sequentially transferred to the target vehicle-mounted device. The device according to any one of claims 16 to 19, specifically configured to transmit. The device
It further includes an encryption unit that is configured to encrypt each of the multiple upgrade subfiles using a third key.
The upgrade transmission unit
The plurality of upgrades are divided into the plurality of upgrade subfiles and encrypted using the third key using the preset algorithm for the vehicle-mounted controller. The plurality of interrelated data blocks are generated from the subfile, the second key is used to generate the first message authentication code MAC of the plurality of data blocks, and the second key is a symmetric algorithm key. The plurality of data blocks carrying the first MAC are sequentially transmitted to the target vehicle-mounted device for the target upgrade.
20. The device of claim 20, specifically configured as such. The target upgrade file contains a plurality of upgrade subfiles, and a plurality of interrelated data blocks are generated from the plurality of upgrade subfiles using a preset algorithm, and the plurality of upgrade subfiles hold a fourth key. Carrying a second digital signature of the plurality of data blocks generated using the fourth key is an asymmetric key.
The upgrade control unit is specifically configured to inspect the second digital signature of the plurality of data blocks for the vehicle-mounted controller.
The upgrade transmission unit uses the fifth key to generate a second MAC of the plurality of data blocks, and the fifth key is a symmetric algorithm key, and the device mounted on the target upgrade target vehicle is subjected to the above. 16. The apparatus of claim 16, which is specifically configured to sequentially transmit the plurality of data blocks carrying a second MAC.